diff --git a/Makefile b/Makefile index 0c4a2dc1..f574a108 100644 --- a/Makefile +++ b/Makefile @@ -140,11 +140,21 @@ codegen-schema-openapi: $(KIND) $(HELM) ## Generate openapi schemas (v2 and v3) @kubectl get --raw /openapi/v3/apis/admissionregistration.k8s.io/v1 > ./schemas/openapi/v3/apis/admissionregistration.k8s.io/v1.json @$(KIND) delete cluster --name schema +.PHONY: codegen-schema-json +codegen-schema-json: codegen-schema-openapi ## Generate json schemas + @rm -rf ./schemas/json + @mkdir -p ./schemas/json + @chmod 777 ./schemas/json + @docker run --rm --name openapi2jsonschema --mount type=bind,source="$(PWD)"/schemas/openapi/v3,target=/v3 --mount type=bind,source="$(PWD)"/schemas/json,target=/json ghcr.io/fjogeleit/openapi2jsonschema:master /v3/apis/kyverno.io/v1.json --kubernetes --stand-alone --expanded -o /json/v3 + @docker run --rm --name openapi2jsonschema --mount type=bind,source="$(PWD)"/schemas/openapi/v3,target=/v3 --mount type=bind,source="$(PWD)"/schemas/json,target=/json ghcr.io/fjogeleit/openapi2jsonschema:master /v3/apis/kyverno.io/v2beta1.json --kubernetes --stand-alone --expanded -o /json/v3 + @docker run --rm --name openapi2jsonschema --mount type=bind,source="$(PWD)"/schemas/openapi/v3,target=/v3 --mount type=bind,source="$(PWD)"/schemas/json,target=/json ghcr.io/fjogeleit/openapi2jsonschema:master /v3/apis/kyverno.io/v2.json --kubernetes --stand-alone --expanded -o /json/v3 + @docker run --rm --name openapi2jsonschema --mount type=bind,source="$(PWD)"/schemas/openapi/v3,target=/v3 --mount type=bind,source="$(PWD)"/schemas/json,target=/json ghcr.io/fjogeleit/openapi2jsonschema:master /v3/apis/admissionregistration.k8s.io/v1.json --kubernetes --stand-alone --expanded -o /json/v3 + .PHONY: codegen-all -codegen-all: codegen-helm-docs codegen-schema-openapi ## Generate all codegen +codegen-all: codegen-helm-docs codegen-schema-json ## Generate all codegen .PHONY: verify-schemas -verify-schemas: codegen-schema-openapi ## Check openapi and json schemas are up to date +verify-schemas: codegen-schema-json ## Check openapi and json schemas are up to date @echo Checking openapi schemas are up to date... >&2 @git --no-pager diff -- schemas @echo 'If this test fails, it is because the git diff is non-empty after running "make codegen-schema-openapi".' >&2 @@ -160,7 +170,7 @@ verify-helm-docs: codegen-helm-docs ## Check Helm charts are up to date @git diff --quiet --exit-code -- charts .PHONY: verify-codegen -verify-codegen: verify-helm-docs ## Verify all generated code and docs are up to date +verify-codegen: verify-helm-docs verify-schemas ## Verify all generated code and docs are up to date ######### # BUILD # diff --git a/schemas/json/v3/_definitions.json b/schemas/json/v3/_definitions.json index 2ecf1622..51d656b8 100644 --- a/schemas/json/v3/_definitions.json +++ b/schemas/json/v3/_definitions.json @@ -1,166 +1,1568 @@ { "components": { "schemas": { - "io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions": { - "description": "DeleteOptions may be provided when deleting an API object.", + "io.k8s.api.admissionregistration.v1.AuditAnnotation": { + "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", "type": "object", + "required": [ + "key", + "valueExpression" + ], "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "key": { + "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", "type": "string", - "enum": [ - "v1", - "admissionregistration.k8s.io/v1", - "admissionregistration.k8s.io/v1alpha1", - "admissionregistration.k8s.io/v1beta1", - "apps/v1", - "apps/v1beta1", - "apps/v1beta2", - "authentication.k8s.io/v1", - "authentication.k8s.io/v1alpha1", - "authentication.k8s.io/v1beta1", - "authorization.k8s.io/v1", - "authorization.k8s.io/v1beta1", - "autoscaling/v1", - "autoscaling/v2", - "autoscaling/v2beta1", - "autoscaling/v2beta2", - "batch/v1", - "batch/v1beta1", - "certificates.k8s.io/v1", - "certificates.k8s.io/v1alpha1", - "certificates.k8s.io/v1beta1", - "coordination.k8s.io/v1", - "coordination.k8s.io/v1beta1", - "discovery.k8s.io/v1", - "discovery.k8s.io/v1beta1", - "events.k8s.io/v1", - "events.k8s.io/v1beta1", - "extensions/v1beta1", - "flowcontrol.apiserver.k8s.io/v1", - "flowcontrol.apiserver.k8s.io/v1beta1", - "flowcontrol.apiserver.k8s.io/v1beta2", - "flowcontrol.apiserver.k8s.io/v1beta3", - "internal.apiserver.k8s.io/v1alpha1", - "networking.k8s.io/v1", - "networking.k8s.io/v1alpha1", - "networking.k8s.io/v1beta1", - "node.k8s.io/v1", - "node.k8s.io/v1alpha1", - "node.k8s.io/v1beta1", - "policy/v1", - "policy/v1beta1", - "rbac.authorization.k8s.io/v1", - "rbac.authorization.k8s.io/v1alpha1", - "rbac.authorization.k8s.io/v1beta1", - "resource.k8s.io/v1alpha2", - "scheduling.k8s.io/v1", - "scheduling.k8s.io/v1alpha1", - "scheduling.k8s.io/v1beta1", - "storage.k8s.io/v1", - "storage.k8s.io/v1alpha1", - "storage.k8s.io/v1beta1", - "storagemigration.k8s.io/v1alpha1" - ] + "default": "" }, - "dryRun": { - "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "valueExpression": { + "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", + "type": "string", + "default": "" + } + } + }, + "io.k8s.api.admissionregistration.v1.ExpressionWarning": { + "description": "ExpressionWarning is a warning information that targets a specific expression.", + "type": "object", + "required": [ + "fieldRef", + "warning" + ], + "properties": { + "fieldRef": { + "description": "The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"", + "type": "string", + "default": "" + }, + "warning": { + "description": "The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.", + "type": "string", + "default": "" + } + } + }, + "io.k8s.api.admissionregistration.v1.MatchCondition": { + "description": "MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.", + "type": "object", + "required": [ + "name", + "expression" + ], + "properties": { + "expression": { + "description": "Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.", + "type": "string", + "default": "" + }, + "name": { + "description": "Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.", + "type": "string", + "default": "" + } + } + }, + "io.k8s.api.admissionregistration.v1.MatchResources": { + "description": "MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "type": "object", + "properties": { + "excludeResourceRules": { + "description": "ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", "type": "array", "items": { - "type": "string", - "default": "" + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.NamedRuleWithOperations" + } + ] }, "x-kubernetes-list-type": "atomic" }, - "gracePeriodSeconds": { - "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.", - "type": "integer", - "format": "int64" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "matchPolicy": { + "description": "matchPolicy defines how the \"MatchResources\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"\n\nPossible enum values:\n - `\"Equivalent\"` means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version.\n - `\"Exact\"` means requests should only be sent to the webhook if they exactly match a given rule.", "type": "string", "enum": [ - "DeleteOptions" + "Equivalent", + "Exact" ] }, - "orphanDependents": { - "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.", - "type": "boolean" + "namespaceSelector": { + "description": "NamespaceSelector decides whether to run the admission control policy on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"runlevel\",\n \"operator\": \"NotIn\",\n \"values\": [\n \"0\",\n \"1\"\n ]\n }\n ]\n}\n\nIf instead you want to only run the policy on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"environment\",\n \"operator\": \"In\",\n \"values\": [\n \"prod\",\n \"staging\"\n ]\n }\n ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.", + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" + } + ] }, - "preconditions": { - "description": "Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned.", + "objectSelector": { + "description": "ObjectSelector decides whether to run the validation based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the cel validation, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.", "allOf": [ { - "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Preconditions" + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" } ] }, - "propagationPolicy": { - "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.", - "type": "string" + "resourceRules": { + "description": "ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.", + "type": "array", + "items": { + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.NamedRuleWithOperations" + } + ] + }, + "x-kubernetes-list-type": "atomic" } }, - "x-kubernetes-group-version-kind": [ - { - "group": "", - "kind": "DeleteOptions", - "version": "v1" + "x-kubernetes-map-type": "atomic" + }, + "io.k8s.api.admissionregistration.v1.MutatingWebhook": { + "description": "MutatingWebhook describes an admission webhook and the resources and operations it applies to.", + "type": "object", + "required": [ + "name", + "clientConfig", + "sideEffects", + "admissionReviewVersions" + ], + "properties": { + "admissionReviewVersions": { + "description": "AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "atomic" }, - { - "group": "admissionregistration.k8s.io", - "kind": "DeleteOptions", - "version": "v1" + "clientConfig": { + "description": "ClientConfig defines how to communicate with the hook. Required", + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.WebhookClientConfig" + } + ] }, - { - "group": "admissionregistration.k8s.io", - "kind": "DeleteOptions", - "version": "v1alpha1" + "failurePolicy": { + "description": "FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.\n\nPossible enum values:\n - `\"Fail\"` means that an error calling the webhook causes the admission to fail.\n - `\"Ignore\"` means that an error calling the webhook is ignored.", + "type": "string", + "enum": [ + "Fail", + "Ignore" + ] }, - { - "group": "admissionregistration.k8s.io", - "kind": "DeleteOptions", - "version": "v1beta1" + "matchConditions": { + "description": "MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the webhook is called.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the error is ignored and the webhook is skipped", + "type": "array", + "items": { + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.MatchCondition" + } + ] + }, + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "name", + "x-kubernetes-patch-strategy": "merge" }, - { - "group": "apps", - "kind": "DeleteOptions", - "version": "v1" + "matchPolicy": { + "description": "matchPolicy defines how the \"rules\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.\n\nDefaults to \"Equivalent\"\n\nPossible enum values:\n - `\"Equivalent\"` means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version.\n - `\"Exact\"` means requests should only be sent to the webhook if they exactly match a given rule.", + "type": "string", + "enum": [ + "Equivalent", + "Exact" + ] }, - { - "group": "apps", - "kind": "DeleteOptions", - "version": "v1beta1" + "name": { + "description": "The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where \"imagepolicy\" is the name of the webhook, and kubernetes.io is the name of the organization. Required.", + "type": "string", + "default": "" }, - { - "group": "apps", - "kind": "DeleteOptions", - "version": "v1beta2" + "namespaceSelector": { + "description": "NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"runlevel\",\n \"operator\": \"NotIn\",\n \"values\": [\n \"0\",\n \"1\"\n ]\n }\n ]\n}\n\nIf instead you want to only run the webhook on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"environment\",\n \"operator\": \"In\",\n \"values\": [\n \"prod\",\n \"staging\"\n ]\n }\n ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.", + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" + } + ] }, - { - "group": "authentication.k8s.io", - "kind": "DeleteOptions", - "version": "v1" + "objectSelector": { + "description": "ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.", + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" + } + ] }, - { - "group": "authentication.k8s.io", - "kind": "DeleteOptions", - "version": "v1alpha1" + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: the webhook will not be called more than once in a single admission evaluation.\n\nIfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. * webhooks that use this option may be reordered to minimize the number of additional invocations. * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.\n\nDefaults to \"Never\".\n\nPossible enum values:\n - `\"IfNeeded\"` indicates that the webhook may be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call.\n - `\"Never\"` indicates that the webhook must not be called more than once in a single admission evaluation.", + "type": "string", + "enum": [ + "IfNeeded", + "Never" + ] }, - { - "group": "authentication.k8s.io", - "kind": "DeleteOptions", - "version": "v1beta1" + "rules": { + "description": "Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.", + "type": "array", + "items": { + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.RuleWithOperations" + } + ] + }, + "x-kubernetes-list-type": "atomic" }, - { - "group": "authorization.k8s.io", - "kind": "DeleteOptions", - "version": "v1" + "sideEffects": { + "description": "SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.\n\nPossible enum values:\n - `\"None\"` means that calling the webhook will have no side effects.\n - `\"NoneOnDryRun\"` means that calling the webhook will possibly have side effects, but if the request being reviewed has the dry-run attribute, the side effects will be suppressed.\n - `\"Some\"` means that calling the webhook will possibly have side effects. If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.\n - `\"Unknown\"` means that no information is known about the side effects of calling the webhook. If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.", + "type": "string", + "enum": [ + "None", + "NoneOnDryRun", + "Some", + "Unknown" + ] }, - { - "group": "authorization.k8s.io", - "kind": "DeleteOptions", - "version": "v1beta1" + "timeoutSeconds": { + "description": "TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.", + "type": "integer", + "format": "int32" + } + } + }, + "io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration": { + "description": "MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.", + "type": "object", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string", + "enum": [ + "admissionregistration.k8s.io/v1" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "MutatingWebhookConfiguration" + ] + }, + "metadata": { + "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.", + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + } + ] + }, + "webhooks": { + "description": "Webhooks is a list of webhooks and the affected resources and operations.", + "type": "array", + "items": { + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.MutatingWebhook" + } + ] + }, + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "name", + "x-kubernetes-patch-strategy": "merge" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingWebhookConfiguration", + "version": "v1" + } + ] + }, + "io.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationList": { + "description": "MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration.", + "type": "object", + "required": [ + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string", + "enum": [ + "admissionregistration.k8s.io/v1" + ] + }, + "items": { + "description": "List of MutatingWebhookConfiguration.", + "type": "array", + "items": { + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration" + } + ] + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "MutatingWebhookConfigurationList" + ] + }, + "metadata": { + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + ] + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingWebhookConfigurationList", + "version": "v1" + } + ] + }, + "io.k8s.api.admissionregistration.v1.NamedRuleWithOperations": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "type": "object", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "type": "array", + "items": { + "type": "string", + "default": "", + "enum": [ + "*", + "CONNECT", + "CREATE", + "DELETE", + "UPDATE" + ] + }, + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": "string" + } + }, + "x-kubernetes-map-type": "atomic" + }, + "io.k8s.api.admissionregistration.v1.ParamKind": { + "description": "ParamKind is a tuple of Group Kind and Version.", + "type": "object", + "properties": { + "apiVersion": { + "description": "APIVersion is the API group version the resources belong to. In format of \"group/version\". Required.", + "type": "string" + }, + "kind": { + "description": "Kind is the API kind the resources belong to. Required.", + "type": "string" + } + }, + "x-kubernetes-map-type": "atomic" + }, + "io.k8s.api.admissionregistration.v1.ParamRef": { + "description": "ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.", + "type": "object", + "properties": { + "name": { + "description": "name is the name of the resource being referenced.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.\n\nA single parameter used for all admission requests can be configured by setting the `name` field, leaving `selector` blank, and setting namespace if `paramKind` is namespace-scoped.", + "type": "string" + }, + "namespace": { + "description": "namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.", + "type": "string" + }, + "parameterNotFoundAction": { + "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny`\n\nRequired", + "type": "string" + }, + "selector": { + "description": "selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.", + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" + } + ] + } + }, + "x-kubernetes-map-type": "atomic" + }, + "io.k8s.api.admissionregistration.v1.RuleWithOperations": { + "description": "RuleWithOperations is a tuple of Operations and Resources. It is recommended to make sure that all the tuple expansions are valid.", + "type": "object", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "type": "array", + "items": { + "type": "string", + "default": "", + "enum": [ + "*", + "CONNECT", + "CREATE", + "DELETE", + "UPDATE" + ] + }, + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": "string" + } + } + }, + "io.k8s.api.admissionregistration.v1.ServiceReference": { + "description": "ServiceReference holds a reference to Service.legacy.k8s.io", + "type": "object", + "required": [ + "namespace", + "name" + ], + "properties": { + "name": { + "description": "`name` is the name of the service. Required", + "type": "string", + "default": "" + }, + "namespace": { + "description": "`namespace` is the namespace of the service. Required", + "type": "string", + "default": "" + }, + "path": { + "description": "`path` is an optional URL path which will be sent in any request to this service.", + "type": "string" + }, + "port": { + "description": "If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).", + "type": "integer", + "format": "int32" + } + } + }, + "io.k8s.api.admissionregistration.v1.TypeChecking": { + "description": "TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy", + "type": "object", + "properties": { + "expressionWarnings": { + "description": "The type checking warnings for each expression.", + "type": "array", + "items": { + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.ExpressionWarning" + } + ] + }, + "x-kubernetes-list-type": "atomic" + } + } + }, + "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy": { + "description": "ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.", + "type": "object", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string", + "enum": [ + "admissionregistration.k8s.io/v1" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ValidatingAdmissionPolicy" + ] + }, + "metadata": { + "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.", + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + } + ] + }, + "spec": { + "description": "Specification of the desired behavior of the ValidatingAdmissionPolicy.", + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicySpec" + } + ] + }, + "status": { + "description": "The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy behaves in the expected way. Populated by the system. Read-only.", + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyStatus" + } + ] + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "ValidatingAdmissionPolicy", + "version": "v1" + } + ] + }, + "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding": { + "description": "ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding.\n\nThe CEL expressions of a policy must have a computed CEL cost below the maximum CEL budget. Each evaluation of the policy is given an independent CEL cost budget. Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", + "type": "object", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string", + "enum": [ + "admissionregistration.k8s.io/v1" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ValidatingAdmissionPolicyBinding" + ] + }, + "metadata": { + "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.", + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + } + ] + }, + "spec": { + "description": "Specification of the desired behavior of the ValidatingAdmissionPolicyBinding.", + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBindingSpec" + } + ] + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "ValidatingAdmissionPolicyBinding", + "version": "v1" + } + ] + }, + "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBindingList": { + "description": "ValidatingAdmissionPolicyBindingList is a list of ValidatingAdmissionPolicyBinding.", + "type": "object", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string", + "enum": [ + "admissionregistration.k8s.io/v1" + ] + }, + "items": { + "description": "List of PolicyBinding.", + "type": "array", + "items": { + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding" + } + ] + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ValidatingAdmissionPolicyBindingList" + ] + }, + "metadata": { + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + ] + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "ValidatingAdmissionPolicyBindingList", + "version": "v1" + } + ] + }, + "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBindingSpec": { + "description": "ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.", + "type": "object", + "properties": { + "matchResources": { + "description": "MatchResources declares what resources match this binding and will be validated by it. Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this. If this is unset, all resources matched by the policy are validated by this binding When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated. Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.", + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.MatchResources" + } + ] + }, + "paramRef": { + "description": "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.", + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.ParamRef" + } + ] + }, + "policyName": { + "description": "PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "type": "string" + }, + "validationActions": { + "description": "validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. If a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according to these actions only if the FailurePolicy is set to Fail, otherwise the failures are ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does not matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client in HTTP Warning headers, with a warning code of 299. Warnings can be sent both for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is included in the published audit event for the request. The audit event will contain a `validation.policy.admission.k8s.io/validation_failure` audit annotation with a value containing the details of the validation failures, formatted as a JSON list of objects, each with the following fields: - message: The validation failure message string - policy: The resource name of the ValidatingAdmissionPolicy - binding: The resource name of the ValidatingAdmissionPolicyBinding - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: `\"validation.policy.admission.k8s.io/validation_failure\": \"[{\"message\": \"Invalid value\", {\"policy\": \"policy.example.com\", {\"binding\": \"policybinding.example.com\", {\"expressionIndex\": \"1\", {\"validationActions\": [\"Audit\"]}]\"`\n\nClients should expect to handle additional values by ignoring any values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination needlessly duplicates the validation failure both in the API response body and the HTTP warning headers.\n\nRequired.", + "type": "array", + "items": { + "type": "string", + "default": "", + "enum": [ + "Audit", + "Deny", + "Warn" + ] + }, + "x-kubernetes-list-type": "set" + } + } + }, + "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyList": { + "description": "ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy.", + "type": "object", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string", + "enum": [ + "admissionregistration.k8s.io/v1" + ] + }, + "items": { + "description": "List of ValidatingAdmissionPolicy.", + "type": "array", + "items": { + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy" + } + ] + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ValidatingAdmissionPolicyList" + ] + }, + "metadata": { + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + ] + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "ValidatingAdmissionPolicyList", + "version": "v1" + } + ] + }, + "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicySpec": { + "description": "ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.", + "type": "object", + "properties": { + "auditAnnotations": { + "description": "auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.", + "type": "array", + "items": { + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.AuditAnnotation" + } + ] + }, + "x-kubernetes-list-type": "atomic" + }, + "failurePolicy": { + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.\n\nPossible enum values:\n - `\"Fail\"` means that an error calling the webhook causes the admission to fail.\n - `\"Ignore\"` means that an error calling the webhook is ignored.", + "type": "string", + "enum": [ + "Fail", + "Ignore" + ] + }, + "matchConditions": { + "description": "MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "type": "array", + "items": { + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.MatchCondition" + } + ] + }, + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "name", + "x-kubernetes-patch-strategy": "merge" + }, + "matchConstraints": { + "description": "MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. Required.", + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.MatchResources" + } + ] + }, + "paramKind": { + "description": "ParamKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.", + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.ParamKind" + } + ] + }, + "validations": { + "description": "Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.", + "type": "array", + "items": { + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.Validation" + } + ] + }, + "x-kubernetes-list-type": "atomic" + }, + "variables": { + "description": "Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.", + "type": "array", + "items": { + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.Variable" + } + ] + }, + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "name", + "x-kubernetes-patch-strategy": "merge" + } + } + }, + "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyStatus": { + "description": "ValidatingAdmissionPolicyStatus represents the status of an admission validation policy.", + "type": "object", + "properties": { + "conditions": { + "description": "The conditions represent the latest available observations of a policy's current state.", + "type": "array", + "items": { + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + } + ] + }, + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + }, + "observedGeneration": { + "description": "The generation observed by the controller.", + "type": "integer", + "format": "int64" + }, + "typeChecking": { + "description": "The results of type checking for each expression. Presence of this field indicates the completion of the type checking.", + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.TypeChecking" + } + ] + } + } + }, + "io.k8s.api.admissionregistration.v1.ValidatingWebhook": { + "description": "ValidatingWebhook describes an admission webhook and the resources and operations it applies to.", + "type": "object", + "required": [ + "name", + "clientConfig", + "sideEffects", + "admissionReviewVersions" + ], + "properties": { + "admissionReviewVersions": { + "description": "AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "atomic" + }, + "clientConfig": { + "description": "ClientConfig defines how to communicate with the hook. Required", + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.WebhookClientConfig" + } + ] + }, + "failurePolicy": { + "description": "FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.\n\nPossible enum values:\n - `\"Fail\"` means that an error calling the webhook causes the admission to fail.\n - `\"Ignore\"` means that an error calling the webhook is ignored.", + "type": "string", + "enum": [ + "Fail", + "Ignore" + ] + }, + "matchConditions": { + "description": "MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the webhook is called.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the error is ignored and the webhook is skipped", + "type": "array", + "items": { + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.MatchCondition" + } + ] + }, + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "name", + "x-kubernetes-patch-strategy": "merge" + }, + "matchPolicy": { + "description": "matchPolicy defines how the \"rules\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.\n\nDefaults to \"Equivalent\"\n\nPossible enum values:\n - `\"Equivalent\"` means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version.\n - `\"Exact\"` means requests should only be sent to the webhook if they exactly match a given rule.", + "type": "string", + "enum": [ + "Equivalent", + "Exact" + ] + }, + "name": { + "description": "The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where \"imagepolicy\" is the name of the webhook, and kubernetes.io is the name of the organization. Required.", + "type": "string", + "default": "" + }, + "namespaceSelector": { + "description": "NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"runlevel\",\n \"operator\": \"NotIn\",\n \"values\": [\n \"0\",\n \"1\"\n ]\n }\n ]\n}\n\nIf instead you want to only run the webhook on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"environment\",\n \"operator\": \"In\",\n \"values\": [\n \"prod\",\n \"staging\"\n ]\n }\n ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.", + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" + } + ] + }, + "objectSelector": { + "description": "ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.", + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" + } + ] + }, + "rules": { + "description": "Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.", + "type": "array", + "items": { + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.RuleWithOperations" + } + ] + }, + "x-kubernetes-list-type": "atomic" + }, + "sideEffects": { + "description": "SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.\n\nPossible enum values:\n - `\"None\"` means that calling the webhook will have no side effects.\n - `\"NoneOnDryRun\"` means that calling the webhook will possibly have side effects, but if the request being reviewed has the dry-run attribute, the side effects will be suppressed.\n - `\"Some\"` means that calling the webhook will possibly have side effects. If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.\n - `\"Unknown\"` means that no information is known about the side effects of calling the webhook. If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.", + "type": "string", + "enum": [ + "None", + "NoneOnDryRun", + "Some", + "Unknown" + ] + }, + "timeoutSeconds": { + "description": "TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.", + "type": "integer", + "format": "int32" + } + } + }, + "io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration": { + "description": "ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.", + "type": "object", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string", + "enum": [ + "admissionregistration.k8s.io/v1" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ValidatingWebhookConfiguration" + ] + }, + "metadata": { + "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.", + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + } + ] + }, + "webhooks": { + "description": "Webhooks is a list of webhooks and the affected resources and operations.", + "type": "array", + "items": { + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.ValidatingWebhook" + } + ] + }, + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "name", + "x-kubernetes-patch-strategy": "merge" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "ValidatingWebhookConfiguration", + "version": "v1" + } + ] + }, + "io.k8s.api.admissionregistration.v1.ValidatingWebhookConfigurationList": { + "description": "ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration.", + "type": "object", + "required": [ + "items" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string", + "enum": [ + "admissionregistration.k8s.io/v1" + ] + }, + "items": { + "description": "List of ValidatingWebhookConfiguration.", + "type": "array", + "items": { + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration" + } + ] + } + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ValidatingWebhookConfigurationList" + ] + }, + "metadata": { + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" + } + ] + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "ValidatingWebhookConfigurationList", + "version": "v1" + } + ] + }, + "io.k8s.api.admissionregistration.v1.Validation": { + "description": "Validation specifies the CEL expression which is used to apply the validation.", + "type": "object", + "required": [ + "expression" + ], + "properties": { + "expression": { + "description": "Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", + "type": "string", + "default": "" + }, + "message": { + "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".", + "type": "string" + }, + "messageExpression": { + "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"", + "type": "string" + }, + "reason": { + "description": "Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.", + "type": "string" + } + } + }, + "io.k8s.api.admissionregistration.v1.Variable": { + "description": "Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.", + "type": "object", + "required": [ + "name", + "expression" + ], + "properties": { + "expression": { + "description": "Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.", + "type": "string", + "default": "" + }, + "name": { + "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`", + "type": "string", + "default": "" + } + }, + "x-kubernetes-map-type": "atomic" + }, + "io.k8s.api.admissionregistration.v1.WebhookClientConfig": { + "description": "WebhookClientConfig contains the information to make a TLS connection with the webhook", + "type": "object", + "properties": { + "caBundle": { + "description": "`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.", + "type": "string", + "format": "byte" + }, + "service": { + "description": "`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.", + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.admissionregistration.v1.ServiceReference" + } + ] + }, + "url": { + "description": "`url` gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nThe scheme must be \"https\"; the URL must begin with \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.\n\nAttempting to use a user or basic auth e.g. \"user:password@\" is not allowed. Fragments (\"#...\") and query parameters (\"?...\") are not allowed, either.", + "type": "string" + } + } + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.APIResource": { + "description": "APIResource specifies the name of a resource and whether it is namespaced.", + "type": "object", + "required": [ + "name", + "singularName", + "namespaced", + "kind", + "verbs" + ], + "properties": { + "categories": { + "description": "categories is a list of the grouped resources this resource belongs to (e.g. 'all')", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "atomic" + }, + "group": { + "description": "group is the preferred group of the resource. Empty implies the group of the containing resource list. For subresources, this may have a different value, for example: Scale\".", + "type": "string" + }, + "kind": { + "description": "kind is the kind for the resource (e.g. 'Foo' is the kind for a resource 'foo')", + "type": "string", + "default": "" + }, + "name": { + "description": "name is the plural name of the resource.", + "type": "string", + "default": "" + }, + "namespaced": { + "description": "namespaced indicates if a resource is namespaced or not.", + "type": "boolean", + "default": false + }, + "shortNames": { + "description": "shortNames is a list of suggested short names of the resource.", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "atomic" + }, + "singularName": { + "description": "singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely. The singularName is more correct for reporting status on a single item and both singular and plural are allowed from the kubectl CLI interface.", + "type": "string", + "default": "" + }, + "storageVersionHash": { + "description": "The hash value of the storage version, the version this resource is converted to when written to the data store. Value must be treated as opaque by clients. Only equality comparison on the value is valid. This is an alpha feature and may change or be removed in the future. The field is populated by the apiserver only if the StorageVersionHash feature gate is enabled. This field will remain optional even if it graduates.", + "type": "string" + }, + "verbs": { + "description": "verbs is a list of supported kube verbs (this includes get, list, watch, create, update, patch, delete, deletecollection, and proxy)", + "type": "array", + "items": { + "type": "string", + "default": "" + } + }, + "version": { + "description": "version is the preferred version of the resource. Empty implies the version of the containing resource list For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)\".", + "type": "string" + } + } + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList": { + "description": "APIResourceList is a list of APIResource, it is used to expose the name of the resources supported in a specific group and version, and if the resource is namespaced.", + "type": "object", + "required": [ + "groupVersion", + "resources" + ], + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string", + "enum": [ + "v1" + ] + }, + "groupVersion": { + "description": "groupVersion is the group and version this APIResourceList is for.", + "type": "string", + "default": "" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "APIResourceList" + ] + }, + "resources": { + "description": "resources contains the name of the resources and if they are namespaced.", + "type": "array", + "items": { + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.APIResource" + } + ] + }, + "x-kubernetes-list-type": "atomic" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "", + "kind": "APIResourceList", + "version": "v1" + } + ] + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.Condition": { + "description": "Condition contains details for one aspect of the current state of this API Resource.", + "type": "object", + "required": [ + "type", + "status", + "lastTransitionTime", + "reason", + "message" + ], + "properties": { + "lastTransitionTime": { + "description": "lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Time" + } + ] + }, + "message": { + "description": "message is a human readable message indicating details about the transition. This may be an empty string.", + "type": "string", + "default": "" + }, + "observedGeneration": { + "description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.", + "type": "integer", + "format": "int64" + }, + "reason": { + "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.", + "type": "string", + "default": "" + }, + "status": { + "description": "status of the condition, one of True, False, Unknown.", + "type": "string", + "default": "" + }, + "type": { + "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", + "type": "string", + "default": "" + } + } + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions": { + "description": "DeleteOptions may be provided when deleting an API object.", + "type": "object", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string", + "enum": [ + "v1", + "admission.k8s.io/v1", + "admission.k8s.io/v1beta1", + "admissionregistration.k8s.io/v1", + "admissionregistration.k8s.io/v1alpha1", + "admissionregistration.k8s.io/v1beta1", + "apiextensions.k8s.io/v1", + "apiextensions.k8s.io/v1beta1", + "apiregistration.k8s.io/v1", + "apiregistration.k8s.io/v1beta1", + "apps/v1", + "apps/v1beta1", + "apps/v1beta2", + "authentication.k8s.io/v1", + "authentication.k8s.io/v1alpha1", + "authentication.k8s.io/v1beta1", + "authorization.k8s.io/v1", + "authorization.k8s.io/v1beta1", + "autoscaling/v1", + "autoscaling/v2", + "autoscaling/v2beta1", + "autoscaling/v2beta2", + "batch/v1", + "batch/v1beta1", + "certificates.k8s.io/v1", + "certificates.k8s.io/v1alpha1", + "certificates.k8s.io/v1beta1", + "coordination.k8s.io/v1", + "coordination.k8s.io/v1beta1", + "discovery.k8s.io/v1", + "discovery.k8s.io/v1beta1", + "events.k8s.io/v1", + "events.k8s.io/v1beta1", + "extensions/v1beta1", + "flowcontrol.apiserver.k8s.io/v1", + "flowcontrol.apiserver.k8s.io/v1beta1", + "flowcontrol.apiserver.k8s.io/v1beta2", + "flowcontrol.apiserver.k8s.io/v1beta3", + "imagepolicy.k8s.io/v1alpha1", + "internal.apiserver.k8s.io/v1alpha1", + "networking.k8s.io/v1", + "networking.k8s.io/v1alpha1", + "networking.k8s.io/v1beta1", + "node.k8s.io/v1", + "node.k8s.io/v1alpha1", + "node.k8s.io/v1beta1", + "policy/v1", + "policy/v1beta1", + "rbac.authorization.k8s.io/v1", + "rbac.authorization.k8s.io/v1alpha1", + "rbac.authorization.k8s.io/v1beta1", + "resource.k8s.io/v1alpha2", + "scheduling.k8s.io/v1", + "scheduling.k8s.io/v1alpha1", + "scheduling.k8s.io/v1beta1", + "storage.k8s.io/v1", + "storage.k8s.io/v1alpha1", + "storage.k8s.io/v1beta1", + "storagemigration.k8s.io/v1alpha1" + ] + }, + "dryRun": { + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "atomic" + }, + "gracePeriodSeconds": { + "description": "The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.", + "type": "integer", + "format": "int64" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "DeleteOptions" + ] + }, + "orphanDependents": { + "description": "Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.", + "type": "boolean" + }, + "preconditions": { + "description": "Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned.", + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.Preconditions" + } + ] + }, + "propagationPolicy": { + "description": "Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.", + "type": "string" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "admission.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "admission.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "admissionregistration.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "admissionregistration.k8s.io", + "kind": "DeleteOptions", + "version": "v1alpha1" + }, + { + "group": "admissionregistration.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "apiextensions.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "apiextensions.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "apiregistration.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "apiregistration.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "apps", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "apps", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "apps", + "kind": "DeleteOptions", + "version": "v1beta2" + }, + { + "group": "authentication.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "authentication.k8s.io", + "kind": "DeleteOptions", + "version": "v1alpha1" + }, + { + "group": "authentication.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "authorization.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "authorization.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" }, { "group": "autoscaling", @@ -262,6 +1664,11 @@ "kind": "DeleteOptions", "version": "v1beta3" }, + { + "group": "imagepolicy.k8s.io", + "kind": "DeleteOptions", + "version": "v1alpha1" + }, { "group": "internal.apiserver.k8s.io", "kind": "DeleteOptions", @@ -368,6 +1775,63 @@ "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:', where is the name of a field in a struct, or key in a map 'v:', where is the exact json formatted value of a list item 'i:', where is position of a item in a list 'k:', where is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", "type": "object" }, + "io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "type": "object", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "type": "array", + "items": { + "default": {}, + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement" + } + ] + }, + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": "object", + "additionalProperties": { + "type": "string", + "default": "" + } + } + }, + "x-kubernetes-map-type": "atomic" + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "type": "object", + "required": [ + "key", + "operator" + ], + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string", + "default": "" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string", + "default": "" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "type": "array", + "items": { + "type": "string", + "default": "" + }, + "x-kubernetes-list-type": "atomic" + } + } + }, "io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta": { "description": "ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.", "type": "object", @@ -708,14986 +2172,357 @@ }, "x-kubernetes-list-type": "atomic" }, - "group": { - "description": "The group attribute of the resource associated with the status StatusReason.", - "type": "string" + "group": { + "description": "The group attribute of the resource associated with the status StatusReason.", + "type": "string" + }, + "kind": { + "description": "The kind attribute of the resource associated with the status StatusReason. On some operations may differ from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "The name attribute of the resource associated with the status StatusReason (when there is a single name which can be described).", + "type": "string" + }, + "retryAfterSeconds": { + "description": "If specified, the time in seconds before the operation should be retried. Some errors may indicate the client must take an alternate action - for those errors this field may indicate how long to wait before taking the alternate action.", + "type": "integer", + "format": "int32" + }, + "uid": { + "description": "UID of the resource. (when there is a single resource which can be described). More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + } + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.Time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "type": "string", + "format": "date-time" + }, + "io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent": { + "description": "Event represents a single event to a watched resource.", + "type": "object", + "required": [ + "type", + "object" + ], + "properties": { + "object": { + "description": "Object is:\n * If Type is Added or Modified: the new state of the object.\n * If Type is Deleted: the state of the object immediately before deletion.\n * If Type is Error: *Status is recommended; other types may make sense\n depending on context.", + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.runtime.RawExtension" + } + ] + }, + "type": { + "type": "string", + "default": "" + } + }, + "x-kubernetes-group-version-kind": [ + { + "group": "", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "admission.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "admission.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "admissionregistration.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "admissionregistration.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" + }, + { + "group": "admissionregistration.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "apiextensions.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "apiextensions.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "apiregistration.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "apiregistration.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "apps", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "apps", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "apps", + "kind": "WatchEvent", + "version": "v1beta2" + }, + { + "group": "authentication.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "authentication.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" + }, + { + "group": "authentication.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "authorization.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "authorization.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "autoscaling", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "autoscaling", + "kind": "WatchEvent", + "version": "v2" + }, + { + "group": "autoscaling", + "kind": "WatchEvent", + "version": "v2beta1" + }, + { + "group": "autoscaling", + "kind": "WatchEvent", + "version": "v2beta2" + }, + { + "group": "batch", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "batch", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "certificates.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "certificates.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" + }, + { + "group": "certificates.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "coordination.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "coordination.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "discovery.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "discovery.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "events.k8s.io", + "kind": "WatchEvent", + "version": "v1" }, - "kind": { - "description": "The kind attribute of the resource associated with the status StatusReason. On some operations may differ from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" + { + "group": "events.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" }, - "name": { - "description": "The name attribute of the resource associated with the status StatusReason (when there is a single name which can be described).", - "type": "string" + { + "group": "extensions", + "kind": "WatchEvent", + "version": "v1beta1" }, - "retryAfterSeconds": { - "description": "If specified, the time in seconds before the operation should be retried. Some errors may indicate the client must take an alternate action - for those errors this field may indicate how long to wait before taking the alternate action.", - "type": "integer", - "format": "int32" + { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "WatchEvent", + "version": "v1" }, - "uid": { - "description": "UID of the resource. (when there is a single resource which can be described). More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", - "type": "string" - } - } - }, - "io.k8s.apimachinery.pkg.apis.meta.v1.Time": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "type": "string", - "format": "date-time" - }, - "io.kyverno.v1.ClusterPolicy": { - "description": "ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.", - "type": "object", - "required": [ - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string", - "enum": [ - "kyverno.io/v1" - ] + { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ClusterPolicy" - ] + { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "WatchEvent", + "version": "v1beta2" }, - "metadata": { - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "allOf": [ - { - "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" - } - ] + { + "group": "flowcontrol.apiserver.k8s.io", + "kind": "WatchEvent", + "version": "v1beta3" }, - "spec": { - "description": "Spec declares policy behaviors.", - "type": "object", - "properties": { - "admission": { - "description": "Admission controls if rules are applied during admission.\nOptional. Default value is \"true\".", - "type": "boolean", - "default": true - }, - "applyRules": { - "description": "ApplyRules controls how rules in a policy are applied. Rule are processed in\nthe order of declaration. When set to `One` processing stops after a rule has\nbeen applied i.e. the rule matches and results in a pass, fail, or error. When\nset to `All` all rules in the policy are processed. The default is `All`.", - "type": "string", - "enum": [ - "All", - "One" - ] - }, - "background": { - "description": "Background controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).", - "type": "boolean", - "default": true - }, - "failurePolicy": { - "description": "FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.\nRules within the same policy share the same failure behavior.\nThis field should not be accessed directly, instead `GetFailurePolicy()` should be used.\nAllowed values are Ignore or Fail. Defaults to Fail.", - "type": "string", - "enum": [ - "Ignore", - "Fail" - ] - }, - "generateExisting": { - "description": "GenerateExisting controls whether to trigger generate rule in existing resources\nIf is set to \"true\" generate rule will be triggered and applied to existing matched resources.\nDefaults to \"false\" if not specified.", - "type": "boolean" - }, - "generateExistingOnPolicyUpdate": { - "description": "Deprecated, use generateExisting instead", - "type": "boolean" - }, - "mutateExistingOnPolicyUpdate": { - "description": "MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.\nDefault value is \"false\".", - "type": "boolean" - }, - "rules": { - "description": "Rules is a list of Rule instances. A Policy contains multiple rules and\neach rule can validate, mutate, or generate resources.", - "type": "array", - "items": { - "description": "Rule defines a validation, mutation, or generation control for matching resources.\nEach rules contains a match declaration to select resources, and an optional exclude\ndeclaration to specify which resources to exclude.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "celPreconditions": { - "description": "CELPreconditions are used to determine if a policy rule should be applied by evaluating a\nset of CEL conditions. It can only be used with the validate.cel subrule", - "type": "array", - "items": { - "description": "MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.", - "type": "object", - "required": [ - "expression", - "name" - ], - "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\n\nRequired.", - "type": "string" - }, - "name": { - "description": "Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\n\nRequired.", - "type": "string" - } - } - } - }, - "context": { - "description": "Context defines variables and data sources that can be used during rule execution.", - "type": "array", - "items": { - "description": "ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.", - "type": "object", - "properties": { - "apiCall": { - "description": "APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.", - "type": "object", - "properties": { - "data": { - "description": "The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.", - "type": "array", - "items": { - "description": "RequestData contains the HTTP POST data", - "type": "object", - "required": [ - "key", - "value" - ], - "properties": { - "key": { - "description": "Key is a unique identifier for the data value", - "type": "string" - }, - "value": { - "description": "Value is the data value", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "method": { - "description": "Method is the HTTP request type (GET or POST).", - "type": "string", - "default": "GET", - "enum": [ - "GET", - "POST" - ] - }, - "service": { - "description": "Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.", - "type": "object", - "required": [ - "url" - ], - "properties": { - "caBundle": { - "description": "CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.", - "type": "string" - }, - "url": { - "description": "URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.", - "type": "string" - } - } - }, - "urlPath": { - "description": "URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.", - "type": "string" - } - } - }, - "configMap": { - "description": "ConfigMap is the ConfigMap reference.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "Name is the ConfigMap name.", - "type": "string" - }, - "namespace": { - "description": "Namespace is the ConfigMap namespace.", - "type": "string" - } - } - }, - "globalReference": { - "description": "GlobalContextEntryReference is a reference to a cached global context entry.", - "type": "object", - "properties": { - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "name": { - "description": "Name of the global context entry", - "type": "string" - } - } - }, - "imageRegistry": { - "description": "ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.", - "type": "object", - "required": [ - "reference" - ], - "properties": { - "imageRegistryCredentials": { - "description": "ImageRegistryCredentials provides credentials that will be used for authentication with registry", - "type": "object", - "properties": { - "allowInsecureRegistry": { - "description": "AllowInsecureRegistry allows insecure access to a registry.", - "type": "boolean" - }, - "providers": { - "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", - "type": "array", - "items": { - "description": "ImageRegistryCredentialsProvidersType provides the list of credential providers required.", - "type": "string", - "enum": [ - "default", - "amazon", - "azure", - "google", - "github" - ] - } - }, - "secrets": { - "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.", - "type": "string" - }, - "reference": { - "description": "Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest", - "type": "string" - } - } - }, - "name": { - "description": "Name is the variable name.", - "type": "string" - }, - "variable": { - "description": "Variable defines an arbitrary JMESPath context variable that can be defined inline.", - "type": "object", - "properties": { - "default": { - "description": "Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil", - "x-kubernetes-preserve-unknown-fields": true - }, - "jmesPath": { - "description": "JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.", - "type": "string" - }, - "value": { - "description": "Value is any arbitrary JSON object representable in YAML or JSON form.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - } - }, - "exclude": { - "description": "ExcludeResources defines when this policy rule should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.", - "type": "object", - "properties": { - "all": { - "description": "All allows specifying resources which will be ANDed", - "type": "array", - "items": { - "description": "ResourceFilter allow users to \"AND\" or \"OR\" between resources", - "type": "object", - "properties": { - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - } - }, - "any": { - "description": "Any allows specifying resources which will be ORed", - "type": "array", - "items": { - "description": "ResourceFilter allow users to \"AND\" or \"OR\" between resources", - "type": "object", - "properties": { - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - } - }, - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - }, - "generate": { - "description": "Generation is used to create new resources.", - "type": "object", - "properties": { - "apiVersion": { - "description": "APIVersion specifies resource apiVersion.", - "type": "string" - }, - "clone": { - "description": "Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.", - "type": "object", - "properties": { - "name": { - "description": "Name specifies name of the resource.", - "type": "string" - }, - "namespace": { - "description": "Namespace specifies source resource namespace.", - "type": "string" - } - } - }, - "cloneList": { - "description": "CloneList specifies the list of source resource used to populate each generated resource.", - "type": "object", - "properties": { - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "namespace": { - "description": "Namespace specifies source resource namespace.", - "type": "string" - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "data": { - "description": "Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.", - "x-kubernetes-preserve-unknown-fields": true - }, - "kind": { - "description": "Kind specifies resource kind.", - "type": "string" - }, - "name": { - "description": "Name specifies the resource name.", - "type": "string" - }, - "namespace": { - "description": "Namespace specifies resource namespace.", - "type": "string" - }, - "orphanDownstreamOnPolicyDelete": { - "description": "OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nSee https://kyverno.io/docs/writing-policies/generate/#data-examples.\nDefaults to \"false\" if not specified.", - "type": "boolean" - }, - "synchronize": { - "description": "Synchronize controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.", - "type": "boolean" - }, - "uid": { - "description": "UID specifies the resource uid.", - "type": "string" - } - } - }, - "imageExtractors": { - "description": "ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.\nThis config is only valid for verifyImages rules.", - "type": "object", - "additionalProperties": { - "type": "array", - "items": { - "type": "object", - "required": [ - "path" - ], - "properties": { - "jmesPath": { - "description": "JMESPath is an optional JMESPath expression to apply to the image value.\nThis is useful when the extracted image begins with a prefix like 'docker://'.\nThe 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').\nNote - Image digest mutation may not be used when applying a JMESPAth to an image.", - "type": "string" - }, - "key": { - "description": "Key is an optional name of the field within 'path' that will be used to uniquely identify an image.\nNote - this field MUST be unique.", - "type": "string" - }, - "name": { - "description": "Name is the entry the image will be available under 'images.' in the context.\nIf this field is not defined, image entries will appear under 'images.custom'.", - "type": "string" - }, - "path": { - "description": "Path is the path to the object containing the image field in a custom resource.\nIt should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.\nWildcard keys are expanded in case of arrays or objects.", - "type": "string" - }, - "value": { - "description": "Value is an optional name of the field within 'path' that points to the image URI.\nThis is useful when a custom 'key' is also defined.", - "type": "string" - } - } - } - } - }, - "match": { - "description": "MatchResources defines when this policy rule should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.", - "type": "object", - "properties": { - "all": { - "description": "All allows specifying resources which will be ANDed", - "type": "array", - "items": { - "description": "ResourceFilter allow users to \"AND\" or \"OR\" between resources", - "type": "object", - "properties": { - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - } - }, - "any": { - "description": "Any allows specifying resources which will be ORed", - "type": "array", - "items": { - "description": "ResourceFilter allow users to \"AND\" or \"OR\" between resources", - "type": "object", - "properties": { - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - } - }, - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - }, - "mutate": { - "description": "Mutation is used to modify matching resources.", - "type": "object", - "properties": { - "foreach": { - "description": "ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.", - "type": "array", - "items": { - "description": "ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.", - "type": "object", - "properties": { - "context": { - "description": "Context defines variables and data sources that can be used during rule execution.", - "type": "array", - "items": { - "description": "ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.", - "type": "object", - "properties": { - "apiCall": { - "description": "APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.", - "type": "object", - "properties": { - "data": { - "description": "The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.", - "type": "array", - "items": { - "description": "RequestData contains the HTTP POST data", - "type": "object", - "required": [ - "key", - "value" - ], - "properties": { - "key": { - "description": "Key is a unique identifier for the data value", - "type": "string" - }, - "value": { - "description": "Value is the data value", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "method": { - "description": "Method is the HTTP request type (GET or POST).", - "type": "string", - "default": "GET", - "enum": [ - "GET", - "POST" - ] - }, - "service": { - "description": "Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.", - "type": "object", - "required": [ - "url" - ], - "properties": { - "caBundle": { - "description": "CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.", - "type": "string" - }, - "url": { - "description": "URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.", - "type": "string" - } - } - }, - "urlPath": { - "description": "URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.", - "type": "string" - } - } - }, - "configMap": { - "description": "ConfigMap is the ConfigMap reference.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "Name is the ConfigMap name.", - "type": "string" - }, - "namespace": { - "description": "Namespace is the ConfigMap namespace.", - "type": "string" - } - } - }, - "globalReference": { - "description": "GlobalContextEntryReference is a reference to a cached global context entry.", - "type": "object", - "properties": { - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "name": { - "description": "Name of the global context entry", - "type": "string" - } - } - }, - "imageRegistry": { - "description": "ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.", - "type": "object", - "required": [ - "reference" - ], - "properties": { - "imageRegistryCredentials": { - "description": "ImageRegistryCredentials provides credentials that will be used for authentication with registry", - "type": "object", - "properties": { - "allowInsecureRegistry": { - "description": "AllowInsecureRegistry allows insecure access to a registry.", - "type": "boolean" - }, - "providers": { - "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", - "type": "array", - "items": { - "description": "ImageRegistryCredentialsProvidersType provides the list of credential providers required.", - "type": "string", - "enum": [ - "default", - "amazon", - "azure", - "google", - "github" - ] - } - }, - "secrets": { - "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.", - "type": "string" - }, - "reference": { - "description": "Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest", - "type": "string" - } - } - }, - "name": { - "description": "Name is the variable name.", - "type": "string" - }, - "variable": { - "description": "Variable defines an arbitrary JMESPath context variable that can be defined inline.", - "type": "object", - "properties": { - "default": { - "description": "Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil", - "x-kubernetes-preserve-unknown-fields": true - }, - "jmesPath": { - "description": "JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.", - "type": "string" - }, - "value": { - "description": "Value is any arbitrary JSON object representable in YAML or JSON form.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - } - }, - "foreach": { - "description": "Foreach declares a nested foreach iterator", - "x-kubernetes-preserve-unknown-fields": true - }, - "list": { - "description": "List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.", - "type": "string" - }, - "order": { - "description": "Order defines the iteration order on the list.\nCan be Ascending to iterate from first to last element or Descending to iterate in from last to first element.", - "type": "string", - "enum": [ - "Ascending", - "Descending" - ] - }, - "patchStrategicMerge": { - "description": "PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.", - "x-kubernetes-preserve-unknown-fields": true - }, - "patchesJson6902": { - "description": "PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.", - "type": "string" - }, - "preconditions": { - "description": "AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/", - "type": "object", - "properties": { - "all": { - "description": "AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "any": { - "description": "AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - }, - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "patchStrategicMerge": { - "description": "PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.", - "x-kubernetes-preserve-unknown-fields": true - }, - "patchesJson6902": { - "description": "PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.", - "type": "string" - }, - "targets": { - "description": "Targets defines the target resources to be mutated.", - "type": "array", - "items": { - "description": "TargetResourceSpec defines targets for mutating existing resources.", - "type": "object", - "properties": { - "apiVersion": { - "description": "APIVersion specifies resource apiVersion.", - "type": "string" - }, - "context": { - "description": "Context defines variables and data sources that can be used during rule execution.", - "type": "array", - "items": { - "description": "ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.", - "type": "object", - "properties": { - "apiCall": { - "description": "APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.", - "type": "object", - "properties": { - "data": { - "description": "The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.", - "type": "array", - "items": { - "description": "RequestData contains the HTTP POST data", - "type": "object", - "required": [ - "key", - "value" - ], - "properties": { - "key": { - "description": "Key is a unique identifier for the data value", - "type": "string" - }, - "value": { - "description": "Value is the data value", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "method": { - "description": "Method is the HTTP request type (GET or POST).", - "type": "string", - "default": "GET", - "enum": [ - "GET", - "POST" - ] - }, - "service": { - "description": "Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.", - "type": "object", - "required": [ - "url" - ], - "properties": { - "caBundle": { - "description": "CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.", - "type": "string" - }, - "url": { - "description": "URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.", - "type": "string" - } - } - }, - "urlPath": { - "description": "URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.", - "type": "string" - } - } - }, - "configMap": { - "description": "ConfigMap is the ConfigMap reference.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "Name is the ConfigMap name.", - "type": "string" - }, - "namespace": { - "description": "Namespace is the ConfigMap namespace.", - "type": "string" - } - } - }, - "globalReference": { - "description": "GlobalContextEntryReference is a reference to a cached global context entry.", - "type": "object", - "properties": { - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "name": { - "description": "Name of the global context entry", - "type": "string" - } - } - }, - "imageRegistry": { - "description": "ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.", - "type": "object", - "required": [ - "reference" - ], - "properties": { - "imageRegistryCredentials": { - "description": "ImageRegistryCredentials provides credentials that will be used for authentication with registry", - "type": "object", - "properties": { - "allowInsecureRegistry": { - "description": "AllowInsecureRegistry allows insecure access to a registry.", - "type": "boolean" - }, - "providers": { - "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", - "type": "array", - "items": { - "description": "ImageRegistryCredentialsProvidersType provides the list of credential providers required.", - "type": "string", - "enum": [ - "default", - "amazon", - "azure", - "google", - "github" - ] - } - }, - "secrets": { - "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.", - "type": "string" - }, - "reference": { - "description": "Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest", - "type": "string" - } - } - }, - "name": { - "description": "Name is the variable name.", - "type": "string" - }, - "variable": { - "description": "Variable defines an arbitrary JMESPath context variable that can be defined inline.", - "type": "object", - "properties": { - "default": { - "description": "Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil", - "x-kubernetes-preserve-unknown-fields": true - }, - "jmesPath": { - "description": "JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.", - "type": "string" - }, - "value": { - "description": "Value is any arbitrary JSON object representable in YAML or JSON form.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - } - }, - "kind": { - "description": "Kind specifies resource kind.", - "type": "string" - }, - "name": { - "description": "Name specifies the resource name.", - "type": "string" - }, - "namespace": { - "description": "Namespace specifies resource namespace.", - "type": "string" - }, - "preconditions": { - "description": "Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/", - "x-kubernetes-preserve-unknown-fields": true - }, - "uid": { - "description": "UID specifies the resource uid.", - "type": "string" - } - } - } - } - } - }, - "name": { - "description": "Name is a label to identify the rule, It must be unique within the policy.", - "type": "string", - "maxLength": 63 - }, - "preconditions": { - "description": "Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/", - "x-kubernetes-preserve-unknown-fields": true - }, - "skipBackgroundRequests": { - "description": "SkipBackgroundRequests bypasses admission requests that are sent by the background controller.\nThe default value is set to \"true\", it must be set to \"false\" to apply\ngenerate and mutateExisting rules to those requests.", - "type": "boolean", - "default": true - }, - "validate": { - "description": "Validation is used to validate matching resources.", - "type": "object", - "properties": { - "anyPattern": { - "description": "AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.", - "x-kubernetes-preserve-unknown-fields": true - }, - "cel": { - "description": "CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).", - "type": "object", - "properties": { - "auditAnnotations": { - "description": "AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.", - "type": "array", - "items": { - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", - "type": "object", - "required": [ - "key", - "valueExpression" - ], - "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\n\nRequired.", - "type": "string" - }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\n\nRequired.", - "type": "string" - } - } - } - }, - "expressions": { - "description": "Expressions is a list of CELExpression types.", - "type": "array", - "items": { - "description": "Validation specifies the CEL expression which is used to apply the validation.", - "type": "object", - "required": [ - "expression" - ], - "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", - "type": "string" - }, - "message": { - "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".", - "type": "string" - }, - "messageExpression": { - "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"", - "type": "string" - }, - "reason": { - "description": "Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.", - "type": "string" - } - } - } - }, - "paramKind": { - "description": "ParamKind is a tuple of Group Kind and Version.", - "type": "object", - "properties": { - "apiVersion": { - "description": "APIVersion is the API group version the resources belong to.\nIn format of \"group/version\".\nRequired.", - "type": "string" - }, - "kind": { - "description": "Kind is the API kind the resources belong to.\nRequired.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - }, - "paramRef": { - "description": "ParamRef references a parameter resource.", - "type": "object", - "properties": { - "name": { - "description": "`name` is the name of the resource being referenced.\n\n\n`name` and `selector` are mutually exclusive properties. If one is set,\nthe other must be unset.", - "type": "string" - }, - "namespace": { - "description": "namespace is the namespace of the referenced resource. Allows limiting\nthe search for params to a specific namespace. Applies to both `name` and\n`selector` fields.\n\n\nA per-namespace parameter may be used by specifying a namespace-scoped\n`paramKind` in the policy and leaving this field empty.\n\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this\nfield results in a configuration error.\n\n\n- If `paramKind` is namespace-scoped, the namespace of the object being\nevaluated for admission will be used when this field is left unset. Take\ncare that if this is left empty the binding must not match any cluster-scoped\nresources, which will result in an error.", - "type": "string" - }, - "parameterNotFoundAction": { - "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource\nexists, and name or selector is valid, but there are no parameters\nmatched by the binding. If the value is set to `Allow`, then no\nmatched parameters will be treated as successful validation by the binding.\nIf set to `Deny`, then no matched parameters will be subject to the\n`failurePolicy` of the policy.\n\n\nAllowed values are `Allow` or `Deny`\nDefault to `Deny`", - "type": "string" - }, - "selector": { - "description": "selector can be used to match multiple param objects based on their labels.\nSupply selector: {} to match all resources of the ParamKind.\n\n\nIf multiple params are found, they are all evaluated with the policy expressions\nand the results are ANDed together.\n\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - }, - "x-kubernetes-map-type": "atomic" - }, - "variables": { - "description": "Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy.", - "type": "array", - "items": { - "description": "Variable is the definition of a variable that is used for composition.", - "type": "object", - "required": [ - "expression", - "name" - ], - "properties": { - "expression": { - "description": "Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.", - "type": "string" - }, - "name": { - "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`", - "type": "string" - } - } - } - } - } - }, - "deny": { - "description": "Deny defines conditions used to pass or fail a validation rule.", - "type": "object", - "properties": { - "conditions": { - "description": "Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules", - "x-kubernetes-preserve-unknown-fields": true - } - } - }, - "foreach": { - "description": "ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.", - "type": "array", - "items": { - "description": "ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.", - "type": "object", - "properties": { - "anyPattern": { - "description": "AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.", - "x-kubernetes-preserve-unknown-fields": true - }, - "context": { - "description": "Context defines variables and data sources that can be used during rule execution.", - "type": "array", - "items": { - "description": "ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.", - "type": "object", - "properties": { - "apiCall": { - "description": "APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.", - "type": "object", - "properties": { - "data": { - "description": "The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.", - "type": "array", - "items": { - "description": "RequestData contains the HTTP POST data", - "type": "object", - "required": [ - "key", - "value" - ], - "properties": { - "key": { - "description": "Key is a unique identifier for the data value", - "type": "string" - }, - "value": { - "description": "Value is the data value", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "method": { - "description": "Method is the HTTP request type (GET or POST).", - "type": "string", - "default": "GET", - "enum": [ - "GET", - "POST" - ] - }, - "service": { - "description": "Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.", - "type": "object", - "required": [ - "url" - ], - "properties": { - "caBundle": { - "description": "CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.", - "type": "string" - }, - "url": { - "description": "URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.", - "type": "string" - } - } - }, - "urlPath": { - "description": "URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.", - "type": "string" - } - } - }, - "configMap": { - "description": "ConfigMap is the ConfigMap reference.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "Name is the ConfigMap name.", - "type": "string" - }, - "namespace": { - "description": "Namespace is the ConfigMap namespace.", - "type": "string" - } - } - }, - "globalReference": { - "description": "GlobalContextEntryReference is a reference to a cached global context entry.", - "type": "object", - "properties": { - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "name": { - "description": "Name of the global context entry", - "type": "string" - } - } - }, - "imageRegistry": { - "description": "ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.", - "type": "object", - "required": [ - "reference" - ], - "properties": { - "imageRegistryCredentials": { - "description": "ImageRegistryCredentials provides credentials that will be used for authentication with registry", - "type": "object", - "properties": { - "allowInsecureRegistry": { - "description": "AllowInsecureRegistry allows insecure access to a registry.", - "type": "boolean" - }, - "providers": { - "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", - "type": "array", - "items": { - "description": "ImageRegistryCredentialsProvidersType provides the list of credential providers required.", - "type": "string", - "enum": [ - "default", - "amazon", - "azure", - "google", - "github" - ] - } - }, - "secrets": { - "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.", - "type": "string" - }, - "reference": { - "description": "Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest", - "type": "string" - } - } - }, - "name": { - "description": "Name is the variable name.", - "type": "string" - }, - "variable": { - "description": "Variable defines an arbitrary JMESPath context variable that can be defined inline.", - "type": "object", - "properties": { - "default": { - "description": "Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil", - "x-kubernetes-preserve-unknown-fields": true - }, - "jmesPath": { - "description": "JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.", - "type": "string" - }, - "value": { - "description": "Value is any arbitrary JSON object representable in YAML or JSON form.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - } - }, - "deny": { - "description": "Deny defines conditions used to pass or fail a validation rule.", - "type": "object", - "properties": { - "conditions": { - "description": "Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules", - "x-kubernetes-preserve-unknown-fields": true - } - } - }, - "elementScope": { - "description": "ElementScope specifies whether to use the current list element as the scope for validation. Defaults to \"true\" if not specified.\nWhen set to \"false\", \"request.object\" is used as the validation scope within the foreach\nblock to allow referencing other elements in the subtree.", - "type": "boolean" - }, - "foreach": { - "description": "Foreach declares a nested foreach iterator", - "x-kubernetes-preserve-unknown-fields": true - }, - "list": { - "description": "List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.", - "type": "string" - }, - "pattern": { - "description": "Pattern specifies an overlay-style pattern used to check resources.", - "x-kubernetes-preserve-unknown-fields": true - }, - "preconditions": { - "description": "AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/", - "type": "object", - "properties": { - "all": { - "description": "AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "any": { - "description": "AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - }, - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "manifests": { - "description": "Manifest specifies conditions for manifest verification", - "type": "object", - "properties": { - "annotationDomain": { - "description": "AnnotationDomain is custom domain of annotation for message and signature. Default is \"cosign.sigstore.dev\".", - "type": "string" - }, - "attestors": { - "description": "Attestors specified the required attestors (i.e. authorities)", - "type": "array", - "items": { - "type": "object", - "properties": { - "count": { - "description": "Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.", - "type": "integer", - "minimum": 1 - }, - "entries": { - "description": "Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.", - "type": "array", - "items": { - "type": "object", - "properties": { - "annotations": { - "description": "Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "attestor": { - "description": "Attestor is a nested set of Attestor used to specify a more complex set of match authorities.", - "x-kubernetes-preserve-unknown-fields": true - }, - "certificates": { - "description": "Certificates specifies one or more certificates.", - "type": "object", - "properties": { - "cert": { - "description": "Cert is an optional PEM-encoded public certificate.", - "type": "string" - }, - "certChain": { - "description": "CertChain is an optional PEM encoded set of certificates used to verify.", - "type": "string" - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - } - } - }, - "keyless": { - "description": "Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.", - "type": "object", - "properties": { - "additionalExtensions": { - "description": "AdditionalExtensions are certificate-extensions used for keyless signing.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "issuer": { - "description": "Issuer is the certificate issuer used for keyless signing.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "roots": { - "description": "Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.", - "type": "string" - }, - "subject": { - "description": "Subject is the verified identity used for keyless signing, for example the email address.", - "type": "string" - } - } - }, - "keys": { - "description": "Keys specifies one or more public keys.", - "type": "object", - "properties": { - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "kms": { - "description": "KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md", - "type": "string" - }, - "publicKeys": { - "description": "Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "secret": { - "description": "Reference to a Secret resource that contains a public key", - "type": "object", - "required": [ - "name", - "namespace" - ], - "properties": { - "name": { - "description": "Name of the secret. The provided secret must contain a key named cosign.pub.", - "type": "string" - }, - "namespace": { - "description": "Namespace name where the Secret exists.", - "type": "string" - } - } - }, - "signatureAlgorithm": { - "description": "Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.", - "type": "string", - "default": "sha256" - } - } - }, - "repository": { - "description": "Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.", - "type": "string" - } - } - } - } - } - } - }, - "dryRun": { - "description": "DryRun configuration", - "type": "object", - "properties": { - "enable": { - "type": "boolean" - }, - "namespace": { - "type": "string" - } - } - }, - "ignoreFields": { - "description": "Fields which will be ignored while comparing manifests.", - "type": "array", - "items": { - "type": "object", - "properties": { - "fields": { - "type": "array", - "items": { - "type": "string" - } - }, - "objects": { - "type": "array", - "items": { - "type": "object", - "properties": { - "group": { - "type": "string" - }, - "kind": { - "type": "string" - }, - "name": { - "type": "string" - }, - "namespace": { - "type": "string" - }, - "version": { - "type": "string" - } - } - } - } - } - } - }, - "repository": { - "description": "Repository is an optional alternate OCI repository to use for resource bundle reference.\nThe repository can be overridden per Attestor or Attestation.", - "type": "string" - } - } - }, - "message": { - "description": "Message specifies a custom message to be displayed on failure.", - "type": "string" - }, - "pattern": { - "description": "Pattern specifies an overlay-style pattern used to check resources.", - "x-kubernetes-preserve-unknown-fields": true - }, - "podSecurity": { - "description": "PodSecurity applies exemptions for Kubernetes Pod Security admission\nby specifying exclusions for Pod Security Standards controls.", - "type": "object", - "properties": { - "exclude": { - "description": "Exclude specifies the Pod Security Standard controls to be excluded.", - "type": "array", - "items": { - "description": "PodSecurityStandard specifies the Pod Security Standard controls to be excluded.", - "type": "object", - "required": [ - "controlName" - ], - "properties": { - "controlName": { - "description": "ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/", - "type": "string", - "enum": [ - "HostProcess", - "Host Namespaces", - "Privileged Containers", - "Capabilities", - "HostPath Volumes", - "Host Ports", - "AppArmor", - "SELinux", - "/proc Mount Type", - "Seccomp", - "Sysctls", - "Volume Types", - "Privilege Escalation", - "Running as Non-root", - "Running as Non-root user" - ] - }, - "images": { - "description": "Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.", - "type": "array", - "items": { - "type": "string" - } - }, - "restrictedField": { - "description": "RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.", - "type": "string" - }, - "values": { - "description": "Values defines the allowed values that can be excluded.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "level": { - "description": "Level defines the Pod Security Standard level to be applied to workloads.\nAllowed values are privileged, baseline, and restricted.", - "type": "string", - "enum": [ - "privileged", - "baseline", - "restricted" - ] - }, - "version": { - "description": "Version defines the Pod Security Standard versions that Kubernetes supports.\nAllowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.", - "type": "string", - "enum": [ - "v1.19", - "v1.20", - "v1.21", - "v1.22", - "v1.23", - "v1.24", - "v1.25", - "v1.26", - "v1.27", - "v1.28", - "v1.29", - "latest" - ] - } - } - } - } - }, - "verifyImages": { - "description": "VerifyImages is used to verify image signatures and mutate them to add a digest", - "type": "array", - "items": { - "description": "ImageVerification validates that images that match the specified pattern\nare signed with the supplied public key. Once the image is verified it is\nmutated to include the SHA digest retrieved during the registration.", - "type": "object", - "properties": { - "additionalExtensions": { - "description": "Deprecated.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "annotations": { - "description": "Deprecated. Use annotations per Attestor instead.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "attestations": { - "description": "Attestations are optional checks for signed in-toto Statements used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statement declarations.", - "type": "array", - "items": { - "description": "Attestation are checks for signed in-toto Statements that are used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statements.", - "type": "object", - "properties": { - "attestors": { - "description": "Attestors specify the required attestors (i.e. authorities).", - "type": "array", - "items": { - "type": "object", - "properties": { - "count": { - "description": "Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.", - "type": "integer", - "minimum": 1 - }, - "entries": { - "description": "Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.", - "type": "array", - "items": { - "type": "object", - "properties": { - "annotations": { - "description": "Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "attestor": { - "description": "Attestor is a nested set of Attestor used to specify a more complex set of match authorities.", - "x-kubernetes-preserve-unknown-fields": true - }, - "certificates": { - "description": "Certificates specifies one or more certificates.", - "type": "object", - "properties": { - "cert": { - "description": "Cert is an optional PEM-encoded public certificate.", - "type": "string" - }, - "certChain": { - "description": "CertChain is an optional PEM encoded set of certificates used to verify.", - "type": "string" - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - } - } - }, - "keyless": { - "description": "Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.", - "type": "object", - "properties": { - "additionalExtensions": { - "description": "AdditionalExtensions are certificate-extensions used for keyless signing.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "issuer": { - "description": "Issuer is the certificate issuer used for keyless signing.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "roots": { - "description": "Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.", - "type": "string" - }, - "subject": { - "description": "Subject is the verified identity used for keyless signing, for example the email address.", - "type": "string" - } - } - }, - "keys": { - "description": "Keys specifies one or more public keys.", - "type": "object", - "properties": { - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "kms": { - "description": "KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md", - "type": "string" - }, - "publicKeys": { - "description": "Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "secret": { - "description": "Reference to a Secret resource that contains a public key", - "type": "object", - "required": [ - "name", - "namespace" - ], - "properties": { - "name": { - "description": "Name of the secret. The provided secret must contain a key named cosign.pub.", - "type": "string" - }, - "namespace": { - "description": "Namespace name where the Secret exists.", - "type": "string" - } - } - }, - "signatureAlgorithm": { - "description": "Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.", - "type": "string", - "default": "sha256" - } - } - }, - "repository": { - "description": "Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.", - "type": "string" - } - } - } - } - } - } - }, - "conditions": { - "description": "Conditions are used to verify attributes within a Predicate. If no Conditions are specified\nthe attestation check is satisfied as long there are predicates that match the predicate type.", - "type": "array", - "items": { - "description": "AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.\nAnyConditions get fulfilled when at least one of its sub-conditions passes.\nAllConditions get fulfilled only when all of its sub-conditions pass.", - "type": "object", - "properties": { - "all": { - "description": "AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "any": { - "description": "AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - } - } - }, - "predicateType": { - "description": "Deprecated in favour of 'Type', to be removed soon", - "type": "string" - }, - "type": { - "description": "Type defines the type of attestation contained within the Statement.", - "type": "string" - } - } - } - }, - "attestors": { - "description": "Attestors specified the required attestors (i.e. authorities)", - "type": "array", - "items": { - "type": "object", - "properties": { - "count": { - "description": "Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.", - "type": "integer", - "minimum": 1 - }, - "entries": { - "description": "Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.", - "type": "array", - "items": { - "type": "object", - "properties": { - "annotations": { - "description": "Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "attestor": { - "description": "Attestor is a nested set of Attestor used to specify a more complex set of match authorities.", - "x-kubernetes-preserve-unknown-fields": true - }, - "certificates": { - "description": "Certificates specifies one or more certificates.", - "type": "object", - "properties": { - "cert": { - "description": "Cert is an optional PEM-encoded public certificate.", - "type": "string" - }, - "certChain": { - "description": "CertChain is an optional PEM encoded set of certificates used to verify.", - "type": "string" - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - } - } - }, - "keyless": { - "description": "Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.", - "type": "object", - "properties": { - "additionalExtensions": { - "description": "AdditionalExtensions are certificate-extensions used for keyless signing.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "issuer": { - "description": "Issuer is the certificate issuer used for keyless signing.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "roots": { - "description": "Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.", - "type": "string" - }, - "subject": { - "description": "Subject is the verified identity used for keyless signing, for example the email address.", - "type": "string" - } - } - }, - "keys": { - "description": "Keys specifies one or more public keys.", - "type": "object", - "properties": { - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "kms": { - "description": "KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md", - "type": "string" - }, - "publicKeys": { - "description": "Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "secret": { - "description": "Reference to a Secret resource that contains a public key", - "type": "object", - "required": [ - "name", - "namespace" - ], - "properties": { - "name": { - "description": "Name of the secret. The provided secret must contain a key named cosign.pub.", - "type": "string" - }, - "namespace": { - "description": "Namespace name where the Secret exists.", - "type": "string" - } - } - }, - "signatureAlgorithm": { - "description": "Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.", - "type": "string", - "default": "sha256" - } - } - }, - "repository": { - "description": "Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.", - "type": "string" - } - } - } - } - } - } - }, - "image": { - "description": "Deprecated. Use ImageReferences instead.", - "type": "string" - }, - "imageReferences": { - "description": "ImageReferences is a list of matching image reference patterns. At least one pattern in the\nlist must match the image for the rule to apply. Each image reference consists of a registry\naddress (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.", - "type": "array", - "items": { - "type": "string" - } - }, - "imageRegistryCredentials": { - "description": "ImageRegistryCredentials provides credentials that will be used for authentication with registry.", - "type": "object", - "properties": { - "allowInsecureRegistry": { - "description": "AllowInsecureRegistry allows insecure access to a registry.", - "type": "boolean" - }, - "providers": { - "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", - "type": "array", - "items": { - "description": "ImageRegistryCredentialsProvidersType provides the list of credential providers required.", - "type": "string", - "enum": [ - "default", - "amazon", - "azure", - "google", - "github" - ] - } - }, - "secrets": { - "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "issuer": { - "description": "Deprecated. Use KeylessAttestor instead.", - "type": "string" - }, - "key": { - "description": "Deprecated. Use StaticKeyAttestor instead.", - "type": "string" - }, - "mutateDigest": { - "description": "MutateDigest enables replacement of image tags with digests.\nDefaults to true.", - "type": "boolean", - "default": true - }, - "repository": { - "description": "Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.\nIf specified Repository will override the default OCI image repository configured for the installation.\nThe repository can also be overridden per Attestor or Attestation.", - "type": "string" - }, - "required": { - "description": "Required validates that images are verified i.e. have matched passed a signature or attestation check.", - "type": "boolean", - "default": true - }, - "roots": { - "description": "Deprecated. Use KeylessAttestor instead.", - "type": "string" - }, - "skipImageReferences": { - "description": "SkipImageReferences is a list of matching image reference patterns that should be skipped.\nAt least one pattern in the list must match the image for the rule to be skipped. Each image reference\nconsists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.", - "type": "array", - "items": { - "type": "string" - } - }, - "subject": { - "description": "Deprecated. Use KeylessAttestor instead.", - "type": "string" - }, - "type": { - "description": "Type specifies the method of signature validation. The allowed options\nare Cosign and Notary. By default Cosign is used if a type is not specified.", - "type": "string", - "enum": [ - "Cosign", - "Notary" - ] - }, - "useCache": { - "description": "UseCache enables caching of image verify responses for this rule.", - "type": "boolean", - "default": true - }, - "verifyDigest": { - "description": "VerifyDigest validates that images have a digest.", - "type": "boolean", - "default": true - } - } - } - } - } - } - }, - "schemaValidation": { - "description": "Deprecated.", - "type": "boolean" - }, - "useServerSideApply": { - "description": "UseServerSideApply controls whether to use server-side apply for generate rules\nIf is set to \"true\" create & update for generate rules will use apply instead of create/update.\nDefaults to \"false\" if not specified.", - "type": "boolean" - }, - "validationFailureAction": { - "description": "ValidationFailureAction defines if a validation policy rule violation should block\nthe admission review request (enforce), or allow (audit) the admission review request\nand report an error in a policy report. Optional.\nAllowed values are audit or enforce. The default value is \"Audit\".", - "type": "string", - "default": "Audit", - "enum": [ - "audit", - "enforce", - "Audit", - "Enforce" - ] - }, - "validationFailureActionOverrides": { - "description": "ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction\nnamespace-wise. It overrides ValidationFailureAction for the specified namespaces.", - "type": "array", - "items": { - "type": "object", - "properties": { - "action": { - "description": "ValidationFailureAction defines the policy validation failure action", - "type": "string", - "enum": [ - "audit", - "enforce", - "Audit", - "Enforce" - ] - }, - "namespaceSelector": { - "description": "A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "webhookConfiguration": { - "description": "WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.\nRequires Kubernetes 1.27 or later.", - "type": "object", - "properties": { - "matchConditions": { - "description": "MatchCondition configures admission webhook matchConditions.", - "type": "array", - "items": { - "description": "MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.", - "type": "object", - "required": [ - "expression", - "name" - ], - "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\n\nRequired.", - "type": "string" - }, - "name": { - "description": "Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\n\nRequired.", - "type": "string" - } - } - } - } - } - }, - "webhookTimeoutSeconds": { - "description": "WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.", - "type": "integer", - "format": "int32" - } - } + { + "group": "imagepolicy.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" + }, + { + "group": "internal.apiserver.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" }, - "status": { - "description": "Status contains policy runtime data.", - "type": "object", - "required": [ - "ready" - ], - "properties": { - "autogen": { - "description": "AutogenStatus contains autogen status information.", - "type": "object", - "properties": { - "rules": { - "description": "Rules is a list of Rule instances. It contains auto generated rules added for pod controllers", - "type": "array", - "items": { - "description": "Rule defines a validation, mutation, or generation control for matching resources.\nEach rules contains a match declaration to select resources, and an optional exclude\ndeclaration to specify which resources to exclude.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "celPreconditions": { - "description": "CELPreconditions are used to determine if a policy rule should be applied by evaluating a\nset of CEL conditions. It can only be used with the validate.cel subrule", - "type": "array", - "items": { - "description": "MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.", - "type": "object", - "required": [ - "expression", - "name" - ], - "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\n\nRequired.", - "type": "string" - }, - "name": { - "description": "Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\n\nRequired.", - "type": "string" - } - } - } - }, - "context": { - "description": "Context defines variables and data sources that can be used during rule execution.", - "type": "array", - "items": { - "description": "ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.", - "type": "object", - "properties": { - "apiCall": { - "description": "APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.", - "type": "object", - "properties": { - "data": { - "description": "The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.", - "type": "array", - "items": { - "description": "RequestData contains the HTTP POST data", - "type": "object", - "required": [ - "key", - "value" - ], - "properties": { - "key": { - "description": "Key is a unique identifier for the data value", - "type": "string" - }, - "value": { - "description": "Value is the data value", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "method": { - "description": "Method is the HTTP request type (GET or POST).", - "type": "string", - "default": "GET", - "enum": [ - "GET", - "POST" - ] - }, - "service": { - "description": "Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.", - "type": "object", - "required": [ - "url" - ], - "properties": { - "caBundle": { - "description": "CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.", - "type": "string" - }, - "url": { - "description": "URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.", - "type": "string" - } - } - }, - "urlPath": { - "description": "URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.", - "type": "string" - } - } - }, - "configMap": { - "description": "ConfigMap is the ConfigMap reference.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "Name is the ConfigMap name.", - "type": "string" - }, - "namespace": { - "description": "Namespace is the ConfigMap namespace.", - "type": "string" - } - } - }, - "globalReference": { - "description": "GlobalContextEntryReference is a reference to a cached global context entry.", - "type": "object", - "properties": { - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "name": { - "description": "Name of the global context entry", - "type": "string" - } - } - }, - "imageRegistry": { - "description": "ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.", - "type": "object", - "required": [ - "reference" - ], - "properties": { - "imageRegistryCredentials": { - "description": "ImageRegistryCredentials provides credentials that will be used for authentication with registry", - "type": "object", - "properties": { - "allowInsecureRegistry": { - "description": "AllowInsecureRegistry allows insecure access to a registry.", - "type": "boolean" - }, - "providers": { - "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", - "type": "array", - "items": { - "description": "ImageRegistryCredentialsProvidersType provides the list of credential providers required.", - "type": "string", - "enum": [ - "default", - "amazon", - "azure", - "google", - "github" - ] - } - }, - "secrets": { - "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.", - "type": "string" - }, - "reference": { - "description": "Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest", - "type": "string" - } - } - }, - "name": { - "description": "Name is the variable name.", - "type": "string" - }, - "variable": { - "description": "Variable defines an arbitrary JMESPath context variable that can be defined inline.", - "type": "object", - "properties": { - "default": { - "description": "Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil", - "x-kubernetes-preserve-unknown-fields": true - }, - "jmesPath": { - "description": "JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.", - "type": "string" - }, - "value": { - "description": "Value is any arbitrary JSON object representable in YAML or JSON form.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - } - }, - "exclude": { - "description": "ExcludeResources defines when this policy rule should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.", - "type": "object", - "properties": { - "all": { - "description": "All allows specifying resources which will be ANDed", - "type": "array", - "items": { - "description": "ResourceFilter allow users to \"AND\" or \"OR\" between resources", - "type": "object", - "properties": { - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - } - }, - "any": { - "description": "Any allows specifying resources which will be ORed", - "type": "array", - "items": { - "description": "ResourceFilter allow users to \"AND\" or \"OR\" between resources", - "type": "object", - "properties": { - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - } - }, - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - }, - "generate": { - "description": "Generation is used to create new resources.", - "type": "object", - "properties": { - "apiVersion": { - "description": "APIVersion specifies resource apiVersion.", - "type": "string" - }, - "clone": { - "description": "Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.", - "type": "object", - "properties": { - "name": { - "description": "Name specifies name of the resource.", - "type": "string" - }, - "namespace": { - "description": "Namespace specifies source resource namespace.", - "type": "string" - } - } - }, - "cloneList": { - "description": "CloneList specifies the list of source resource used to populate each generated resource.", - "type": "object", - "properties": { - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "namespace": { - "description": "Namespace specifies source resource namespace.", - "type": "string" - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "data": { - "description": "Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.", - "x-kubernetes-preserve-unknown-fields": true - }, - "kind": { - "description": "Kind specifies resource kind.", - "type": "string" - }, - "name": { - "description": "Name specifies the resource name.", - "type": "string" - }, - "namespace": { - "description": "Namespace specifies resource namespace.", - "type": "string" - }, - "orphanDownstreamOnPolicyDelete": { - "description": "OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nSee https://kyverno.io/docs/writing-policies/generate/#data-examples.\nDefaults to \"false\" if not specified.", - "type": "boolean" - }, - "synchronize": { - "description": "Synchronize controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.", - "type": "boolean" - }, - "uid": { - "description": "UID specifies the resource uid.", - "type": "string" - } - } - }, - "imageExtractors": { - "description": "ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.\nThis config is only valid for verifyImages rules.", - "type": "object", - "additionalProperties": { - "type": "array", - "items": { - "type": "object", - "required": [ - "path" - ], - "properties": { - "jmesPath": { - "description": "JMESPath is an optional JMESPath expression to apply to the image value.\nThis is useful when the extracted image begins with a prefix like 'docker://'.\nThe 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').\nNote - Image digest mutation may not be used when applying a JMESPAth to an image.", - "type": "string" - }, - "key": { - "description": "Key is an optional name of the field within 'path' that will be used to uniquely identify an image.\nNote - this field MUST be unique.", - "type": "string" - }, - "name": { - "description": "Name is the entry the image will be available under 'images.' in the context.\nIf this field is not defined, image entries will appear under 'images.custom'.", - "type": "string" - }, - "path": { - "description": "Path is the path to the object containing the image field in a custom resource.\nIt should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.\nWildcard keys are expanded in case of arrays or objects.", - "type": "string" - }, - "value": { - "description": "Value is an optional name of the field within 'path' that points to the image URI.\nThis is useful when a custom 'key' is also defined.", - "type": "string" - } - } - } - } - }, - "match": { - "description": "MatchResources defines when this policy rule should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.", - "type": "object", - "properties": { - "all": { - "description": "All allows specifying resources which will be ANDed", - "type": "array", - "items": { - "description": "ResourceFilter allow users to \"AND\" or \"OR\" between resources", - "type": "object", - "properties": { - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - } - }, - "any": { - "description": "Any allows specifying resources which will be ORed", - "type": "array", - "items": { - "description": "ResourceFilter allow users to \"AND\" or \"OR\" between resources", - "type": "object", - "properties": { - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - } - }, - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - }, - "mutate": { - "description": "Mutation is used to modify matching resources.", - "type": "object", - "properties": { - "foreach": { - "description": "ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.", - "type": "array", - "items": { - "description": "ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.", - "type": "object", - "properties": { - "context": { - "description": "Context defines variables and data sources that can be used during rule execution.", - "type": "array", - "items": { - "description": "ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.", - "type": "object", - "properties": { - "apiCall": { - "description": "APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.", - "type": "object", - "properties": { - "data": { - "description": "The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.", - "type": "array", - "items": { - "description": "RequestData contains the HTTP POST data", - "type": "object", - "required": [ - "key", - "value" - ], - "properties": { - "key": { - "description": "Key is a unique identifier for the data value", - "type": "string" - }, - "value": { - "description": "Value is the data value", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "method": { - "description": "Method is the HTTP request type (GET or POST).", - "type": "string", - "default": "GET", - "enum": [ - "GET", - "POST" - ] - }, - "service": { - "description": "Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.", - "type": "object", - "required": [ - "url" - ], - "properties": { - "caBundle": { - "description": "CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.", - "type": "string" - }, - "url": { - "description": "URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.", - "type": "string" - } - } - }, - "urlPath": { - "description": "URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.", - "type": "string" - } - } - }, - "configMap": { - "description": "ConfigMap is the ConfigMap reference.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "Name is the ConfigMap name.", - "type": "string" - }, - "namespace": { - "description": "Namespace is the ConfigMap namespace.", - "type": "string" - } - } - }, - "globalReference": { - "description": "GlobalContextEntryReference is a reference to a cached global context entry.", - "type": "object", - "properties": { - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "name": { - "description": "Name of the global context entry", - "type": "string" - } - } - }, - "imageRegistry": { - "description": "ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.", - "type": "object", - "required": [ - "reference" - ], - "properties": { - "imageRegistryCredentials": { - "description": "ImageRegistryCredentials provides credentials that will be used for authentication with registry", - "type": "object", - "properties": { - "allowInsecureRegistry": { - "description": "AllowInsecureRegistry allows insecure access to a registry.", - "type": "boolean" - }, - "providers": { - "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", - "type": "array", - "items": { - "description": "ImageRegistryCredentialsProvidersType provides the list of credential providers required.", - "type": "string", - "enum": [ - "default", - "amazon", - "azure", - "google", - "github" - ] - } - }, - "secrets": { - "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.", - "type": "string" - }, - "reference": { - "description": "Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest", - "type": "string" - } - } - }, - "name": { - "description": "Name is the variable name.", - "type": "string" - }, - "variable": { - "description": "Variable defines an arbitrary JMESPath context variable that can be defined inline.", - "type": "object", - "properties": { - "default": { - "description": "Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil", - "x-kubernetes-preserve-unknown-fields": true - }, - "jmesPath": { - "description": "JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.", - "type": "string" - }, - "value": { - "description": "Value is any arbitrary JSON object representable in YAML or JSON form.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - } - }, - "foreach": { - "description": "Foreach declares a nested foreach iterator", - "x-kubernetes-preserve-unknown-fields": true - }, - "list": { - "description": "List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.", - "type": "string" - }, - "order": { - "description": "Order defines the iteration order on the list.\nCan be Ascending to iterate from first to last element or Descending to iterate in from last to first element.", - "type": "string", - "enum": [ - "Ascending", - "Descending" - ] - }, - "patchStrategicMerge": { - "description": "PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.", - "x-kubernetes-preserve-unknown-fields": true - }, - "patchesJson6902": { - "description": "PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.", - "type": "string" - }, - "preconditions": { - "description": "AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/", - "type": "object", - "properties": { - "all": { - "description": "AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "any": { - "description": "AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - }, - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "patchStrategicMerge": { - "description": "PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.", - "x-kubernetes-preserve-unknown-fields": true - }, - "patchesJson6902": { - "description": "PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.", - "type": "string" - }, - "targets": { - "description": "Targets defines the target resources to be mutated.", - "type": "array", - "items": { - "description": "TargetResourceSpec defines targets for mutating existing resources.", - "type": "object", - "properties": { - "apiVersion": { - "description": "APIVersion specifies resource apiVersion.", - "type": "string" - }, - "context": { - "description": "Context defines variables and data sources that can be used during rule execution.", - "type": "array", - "items": { - "description": "ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.", - "type": "object", - "properties": { - "apiCall": { - "description": "APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.", - "type": "object", - "properties": { - "data": { - "description": "The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.", - "type": "array", - "items": { - "description": "RequestData contains the HTTP POST data", - "type": "object", - "required": [ - "key", - "value" - ], - "properties": { - "key": { - "description": "Key is a unique identifier for the data value", - "type": "string" - }, - "value": { - "description": "Value is the data value", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "method": { - "description": "Method is the HTTP request type (GET or POST).", - "type": "string", - "default": "GET", - "enum": [ - "GET", - "POST" - ] - }, - "service": { - "description": "Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.", - "type": "object", - "required": [ - "url" - ], - "properties": { - "caBundle": { - "description": "CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.", - "type": "string" - }, - "url": { - "description": "URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.", - "type": "string" - } - } - }, - "urlPath": { - "description": "URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.", - "type": "string" - } - } - }, - "configMap": { - "description": "ConfigMap is the ConfigMap reference.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "Name is the ConfigMap name.", - "type": "string" - }, - "namespace": { - "description": "Namespace is the ConfigMap namespace.", - "type": "string" - } - } - }, - "globalReference": { - "description": "GlobalContextEntryReference is a reference to a cached global context entry.", - "type": "object", - "properties": { - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "name": { - "description": "Name of the global context entry", - "type": "string" - } - } - }, - "imageRegistry": { - "description": "ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.", - "type": "object", - "required": [ - "reference" - ], - "properties": { - "imageRegistryCredentials": { - "description": "ImageRegistryCredentials provides credentials that will be used for authentication with registry", - "type": "object", - "properties": { - "allowInsecureRegistry": { - "description": "AllowInsecureRegistry allows insecure access to a registry.", - "type": "boolean" - }, - "providers": { - "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", - "type": "array", - "items": { - "description": "ImageRegistryCredentialsProvidersType provides the list of credential providers required.", - "type": "string", - "enum": [ - "default", - "amazon", - "azure", - "google", - "github" - ] - } - }, - "secrets": { - "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.", - "type": "string" - }, - "reference": { - "description": "Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest", - "type": "string" - } - } - }, - "name": { - "description": "Name is the variable name.", - "type": "string" - }, - "variable": { - "description": "Variable defines an arbitrary JMESPath context variable that can be defined inline.", - "type": "object", - "properties": { - "default": { - "description": "Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil", - "x-kubernetes-preserve-unknown-fields": true - }, - "jmesPath": { - "description": "JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.", - "type": "string" - }, - "value": { - "description": "Value is any arbitrary JSON object representable in YAML or JSON form.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - } - }, - "kind": { - "description": "Kind specifies resource kind.", - "type": "string" - }, - "name": { - "description": "Name specifies the resource name.", - "type": "string" - }, - "namespace": { - "description": "Namespace specifies resource namespace.", - "type": "string" - }, - "preconditions": { - "description": "Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/", - "x-kubernetes-preserve-unknown-fields": true - }, - "uid": { - "description": "UID specifies the resource uid.", - "type": "string" - } - } - } - } - } - }, - "name": { - "description": "Name is a label to identify the rule, It must be unique within the policy.", - "type": "string", - "maxLength": 63 - }, - "preconditions": { - "description": "Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/", - "x-kubernetes-preserve-unknown-fields": true - }, - "skipBackgroundRequests": { - "description": "SkipBackgroundRequests bypasses admission requests that are sent by the background controller.\nThe default value is set to \"true\", it must be set to \"false\" to apply\ngenerate and mutateExisting rules to those requests.", - "type": "boolean", - "default": true - }, - "validate": { - "description": "Validation is used to validate matching resources.", - "type": "object", - "properties": { - "anyPattern": { - "description": "AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.", - "x-kubernetes-preserve-unknown-fields": true - }, - "cel": { - "description": "CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).", - "type": "object", - "properties": { - "auditAnnotations": { - "description": "AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.", - "type": "array", - "items": { - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", - "type": "object", - "required": [ - "key", - "valueExpression" - ], - "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\n\nRequired.", - "type": "string" - }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\n\nRequired.", - "type": "string" - } - } - } - }, - "expressions": { - "description": "Expressions is a list of CELExpression types.", - "type": "array", - "items": { - "description": "Validation specifies the CEL expression which is used to apply the validation.", - "type": "object", - "required": [ - "expression" - ], - "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", - "type": "string" - }, - "message": { - "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".", - "type": "string" - }, - "messageExpression": { - "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"", - "type": "string" - }, - "reason": { - "description": "Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.", - "type": "string" - } - } - } - }, - "paramKind": { - "description": "ParamKind is a tuple of Group Kind and Version.", - "type": "object", - "properties": { - "apiVersion": { - "description": "APIVersion is the API group version the resources belong to.\nIn format of \"group/version\".\nRequired.", - "type": "string" - }, - "kind": { - "description": "Kind is the API kind the resources belong to.\nRequired.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - }, - "paramRef": { - "description": "ParamRef references a parameter resource.", - "type": "object", - "properties": { - "name": { - "description": "`name` is the name of the resource being referenced.\n\n\n`name` and `selector` are mutually exclusive properties. If one is set,\nthe other must be unset.", - "type": "string" - }, - "namespace": { - "description": "namespace is the namespace of the referenced resource. Allows limiting\nthe search for params to a specific namespace. Applies to both `name` and\n`selector` fields.\n\n\nA per-namespace parameter may be used by specifying a namespace-scoped\n`paramKind` in the policy and leaving this field empty.\n\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this\nfield results in a configuration error.\n\n\n- If `paramKind` is namespace-scoped, the namespace of the object being\nevaluated for admission will be used when this field is left unset. Take\ncare that if this is left empty the binding must not match any cluster-scoped\nresources, which will result in an error.", - "type": "string" - }, - "parameterNotFoundAction": { - "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource\nexists, and name or selector is valid, but there are no parameters\nmatched by the binding. If the value is set to `Allow`, then no\nmatched parameters will be treated as successful validation by the binding.\nIf set to `Deny`, then no matched parameters will be subject to the\n`failurePolicy` of the policy.\n\n\nAllowed values are `Allow` or `Deny`\nDefault to `Deny`", - "type": "string" - }, - "selector": { - "description": "selector can be used to match multiple param objects based on their labels.\nSupply selector: {} to match all resources of the ParamKind.\n\n\nIf multiple params are found, they are all evaluated with the policy expressions\nand the results are ANDed together.\n\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - }, - "x-kubernetes-map-type": "atomic" - }, - "variables": { - "description": "Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy.", - "type": "array", - "items": { - "description": "Variable is the definition of a variable that is used for composition.", - "type": "object", - "required": [ - "expression", - "name" - ], - "properties": { - "expression": { - "description": "Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.", - "type": "string" - }, - "name": { - "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`", - "type": "string" - } - } - } - } - } - }, - "deny": { - "description": "Deny defines conditions used to pass or fail a validation rule.", - "type": "object", - "properties": { - "conditions": { - "description": "Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules", - "x-kubernetes-preserve-unknown-fields": true - } - } - }, - "foreach": { - "description": "ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.", - "type": "array", - "items": { - "description": "ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.", - "type": "object", - "properties": { - "anyPattern": { - "description": "AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.", - "x-kubernetes-preserve-unknown-fields": true - }, - "context": { - "description": "Context defines variables and data sources that can be used during rule execution.", - "type": "array", - "items": { - "description": "ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.", - "type": "object", - "properties": { - "apiCall": { - "description": "APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.", - "type": "object", - "properties": { - "data": { - "description": "The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.", - "type": "array", - "items": { - "description": "RequestData contains the HTTP POST data", - "type": "object", - "required": [ - "key", - "value" - ], - "properties": { - "key": { - "description": "Key is a unique identifier for the data value", - "type": "string" - }, - "value": { - "description": "Value is the data value", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "method": { - "description": "Method is the HTTP request type (GET or POST).", - "type": "string", - "default": "GET", - "enum": [ - "GET", - "POST" - ] - }, - "service": { - "description": "Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.", - "type": "object", - "required": [ - "url" - ], - "properties": { - "caBundle": { - "description": "CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.", - "type": "string" - }, - "url": { - "description": "URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.", - "type": "string" - } - } - }, - "urlPath": { - "description": "URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.", - "type": "string" - } - } - }, - "configMap": { - "description": "ConfigMap is the ConfigMap reference.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "Name is the ConfigMap name.", - "type": "string" - }, - "namespace": { - "description": "Namespace is the ConfigMap namespace.", - "type": "string" - } - } - }, - "globalReference": { - "description": "GlobalContextEntryReference is a reference to a cached global context entry.", - "type": "object", - "properties": { - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "name": { - "description": "Name of the global context entry", - "type": "string" - } - } - }, - "imageRegistry": { - "description": "ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.", - "type": "object", - "required": [ - "reference" - ], - "properties": { - "imageRegistryCredentials": { - "description": "ImageRegistryCredentials provides credentials that will be used for authentication with registry", - "type": "object", - "properties": { - "allowInsecureRegistry": { - "description": "AllowInsecureRegistry allows insecure access to a registry.", - "type": "boolean" - }, - "providers": { - "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", - "type": "array", - "items": { - "description": "ImageRegistryCredentialsProvidersType provides the list of credential providers required.", - "type": "string", - "enum": [ - "default", - "amazon", - "azure", - "google", - "github" - ] - } - }, - "secrets": { - "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.", - "type": "string" - }, - "reference": { - "description": "Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest", - "type": "string" - } - } - }, - "name": { - "description": "Name is the variable name.", - "type": "string" - }, - "variable": { - "description": "Variable defines an arbitrary JMESPath context variable that can be defined inline.", - "type": "object", - "properties": { - "default": { - "description": "Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil", - "x-kubernetes-preserve-unknown-fields": true - }, - "jmesPath": { - "description": "JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.", - "type": "string" - }, - "value": { - "description": "Value is any arbitrary JSON object representable in YAML or JSON form.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - } - }, - "deny": { - "description": "Deny defines conditions used to pass or fail a validation rule.", - "type": "object", - "properties": { - "conditions": { - "description": "Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules", - "x-kubernetes-preserve-unknown-fields": true - } - } - }, - "elementScope": { - "description": "ElementScope specifies whether to use the current list element as the scope for validation. Defaults to \"true\" if not specified.\nWhen set to \"false\", \"request.object\" is used as the validation scope within the foreach\nblock to allow referencing other elements in the subtree.", - "type": "boolean" - }, - "foreach": { - "description": "Foreach declares a nested foreach iterator", - "x-kubernetes-preserve-unknown-fields": true - }, - "list": { - "description": "List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.", - "type": "string" - }, - "pattern": { - "description": "Pattern specifies an overlay-style pattern used to check resources.", - "x-kubernetes-preserve-unknown-fields": true - }, - "preconditions": { - "description": "AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/", - "type": "object", - "properties": { - "all": { - "description": "AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "any": { - "description": "AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - }, - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "manifests": { - "description": "Manifest specifies conditions for manifest verification", - "type": "object", - "properties": { - "annotationDomain": { - "description": "AnnotationDomain is custom domain of annotation for message and signature. Default is \"cosign.sigstore.dev\".", - "type": "string" - }, - "attestors": { - "description": "Attestors specified the required attestors (i.e. authorities)", - "type": "array", - "items": { - "type": "object", - "properties": { - "count": { - "description": "Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.", - "type": "integer", - "minimum": 1 - }, - "entries": { - "description": "Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.", - "type": "array", - "items": { - "type": "object", - "properties": { - "annotations": { - "description": "Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "attestor": { - "description": "Attestor is a nested set of Attestor used to specify a more complex set of match authorities.", - "x-kubernetes-preserve-unknown-fields": true - }, - "certificates": { - "description": "Certificates specifies one or more certificates.", - "type": "object", - "properties": { - "cert": { - "description": "Cert is an optional PEM-encoded public certificate.", - "type": "string" - }, - "certChain": { - "description": "CertChain is an optional PEM encoded set of certificates used to verify.", - "type": "string" - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - } - } - }, - "keyless": { - "description": "Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.", - "type": "object", - "properties": { - "additionalExtensions": { - "description": "AdditionalExtensions are certificate-extensions used for keyless signing.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "issuer": { - "description": "Issuer is the certificate issuer used for keyless signing.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "roots": { - "description": "Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.", - "type": "string" - }, - "subject": { - "description": "Subject is the verified identity used for keyless signing, for example the email address.", - "type": "string" - } - } - }, - "keys": { - "description": "Keys specifies one or more public keys.", - "type": "object", - "properties": { - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "kms": { - "description": "KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md", - "type": "string" - }, - "publicKeys": { - "description": "Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "secret": { - "description": "Reference to a Secret resource that contains a public key", - "type": "object", - "required": [ - "name", - "namespace" - ], - "properties": { - "name": { - "description": "Name of the secret. The provided secret must contain a key named cosign.pub.", - "type": "string" - }, - "namespace": { - "description": "Namespace name where the Secret exists.", - "type": "string" - } - } - }, - "signatureAlgorithm": { - "description": "Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.", - "type": "string", - "default": "sha256" - } - } - }, - "repository": { - "description": "Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.", - "type": "string" - } - } - } - } - } - } - }, - "dryRun": { - "description": "DryRun configuration", - "type": "object", - "properties": { - "enable": { - "type": "boolean" - }, - "namespace": { - "type": "string" - } - } - }, - "ignoreFields": { - "description": "Fields which will be ignored while comparing manifests.", - "type": "array", - "items": { - "type": "object", - "properties": { - "fields": { - "type": "array", - "items": { - "type": "string" - } - }, - "objects": { - "type": "array", - "items": { - "type": "object", - "properties": { - "group": { - "type": "string" - }, - "kind": { - "type": "string" - }, - "name": { - "type": "string" - }, - "namespace": { - "type": "string" - }, - "version": { - "type": "string" - } - } - } - } - } - } - }, - "repository": { - "description": "Repository is an optional alternate OCI repository to use for resource bundle reference.\nThe repository can be overridden per Attestor or Attestation.", - "type": "string" - } - } - }, - "message": { - "description": "Message specifies a custom message to be displayed on failure.", - "type": "string" - }, - "pattern": { - "description": "Pattern specifies an overlay-style pattern used to check resources.", - "x-kubernetes-preserve-unknown-fields": true - }, - "podSecurity": { - "description": "PodSecurity applies exemptions for Kubernetes Pod Security admission\nby specifying exclusions for Pod Security Standards controls.", - "type": "object", - "properties": { - "exclude": { - "description": "Exclude specifies the Pod Security Standard controls to be excluded.", - "type": "array", - "items": { - "description": "PodSecurityStandard specifies the Pod Security Standard controls to be excluded.", - "type": "object", - "required": [ - "controlName" - ], - "properties": { - "controlName": { - "description": "ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/", - "type": "string", - "enum": [ - "HostProcess", - "Host Namespaces", - "Privileged Containers", - "Capabilities", - "HostPath Volumes", - "Host Ports", - "AppArmor", - "SELinux", - "/proc Mount Type", - "Seccomp", - "Sysctls", - "Volume Types", - "Privilege Escalation", - "Running as Non-root", - "Running as Non-root user" - ] - }, - "images": { - "description": "Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.", - "type": "array", - "items": { - "type": "string" - } - }, - "restrictedField": { - "description": "RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.", - "type": "string" - }, - "values": { - "description": "Values defines the allowed values that can be excluded.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "level": { - "description": "Level defines the Pod Security Standard level to be applied to workloads.\nAllowed values are privileged, baseline, and restricted.", - "type": "string", - "enum": [ - "privileged", - "baseline", - "restricted" - ] - }, - "version": { - "description": "Version defines the Pod Security Standard versions that Kubernetes supports.\nAllowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.", - "type": "string", - "enum": [ - "v1.19", - "v1.20", - "v1.21", - "v1.22", - "v1.23", - "v1.24", - "v1.25", - "v1.26", - "v1.27", - "v1.28", - "v1.29", - "latest" - ] - } - } - } - } - }, - "verifyImages": { - "description": "VerifyImages is used to verify image signatures and mutate them to add a digest", - "type": "array", - "items": { - "description": "ImageVerification validates that images that match the specified pattern\nare signed with the supplied public key. Once the image is verified it is\nmutated to include the SHA digest retrieved during the registration.", - "type": "object", - "properties": { - "additionalExtensions": { - "description": "Deprecated.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "annotations": { - "description": "Deprecated. Use annotations per Attestor instead.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "attestations": { - "description": "Attestations are optional checks for signed in-toto Statements used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statement declarations.", - "type": "array", - "items": { - "description": "Attestation are checks for signed in-toto Statements that are used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statements.", - "type": "object", - "properties": { - "attestors": { - "description": "Attestors specify the required attestors (i.e. authorities).", - "type": "array", - "items": { - "type": "object", - "properties": { - "count": { - "description": "Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.", - "type": "integer", - "minimum": 1 - }, - "entries": { - "description": "Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.", - "type": "array", - "items": { - "type": "object", - "properties": { - "annotations": { - "description": "Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "attestor": { - "description": "Attestor is a nested set of Attestor used to specify a more complex set of match authorities.", - "x-kubernetes-preserve-unknown-fields": true - }, - "certificates": { - "description": "Certificates specifies one or more certificates.", - "type": "object", - "properties": { - "cert": { - "description": "Cert is an optional PEM-encoded public certificate.", - "type": "string" - }, - "certChain": { - "description": "CertChain is an optional PEM encoded set of certificates used to verify.", - "type": "string" - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - } - } - }, - "keyless": { - "description": "Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.", - "type": "object", - "properties": { - "additionalExtensions": { - "description": "AdditionalExtensions are certificate-extensions used for keyless signing.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "issuer": { - "description": "Issuer is the certificate issuer used for keyless signing.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "roots": { - "description": "Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.", - "type": "string" - }, - "subject": { - "description": "Subject is the verified identity used for keyless signing, for example the email address.", - "type": "string" - } - } - }, - "keys": { - "description": "Keys specifies one or more public keys.", - "type": "object", - "properties": { - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "kms": { - "description": "KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md", - "type": "string" - }, - "publicKeys": { - "description": "Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "secret": { - "description": "Reference to a Secret resource that contains a public key", - "type": "object", - "required": [ - "name", - "namespace" - ], - "properties": { - "name": { - "description": "Name of the secret. The provided secret must contain a key named cosign.pub.", - "type": "string" - }, - "namespace": { - "description": "Namespace name where the Secret exists.", - "type": "string" - } - } - }, - "signatureAlgorithm": { - "description": "Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.", - "type": "string", - "default": "sha256" - } - } - }, - "repository": { - "description": "Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.", - "type": "string" - } - } - } - } - } - } - }, - "conditions": { - "description": "Conditions are used to verify attributes within a Predicate. If no Conditions are specified\nthe attestation check is satisfied as long there are predicates that match the predicate type.", - "type": "array", - "items": { - "description": "AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.\nAnyConditions get fulfilled when at least one of its sub-conditions passes.\nAllConditions get fulfilled only when all of its sub-conditions pass.", - "type": "object", - "properties": { - "all": { - "description": "AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "any": { - "description": "AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - } - } - }, - "predicateType": { - "description": "Deprecated in favour of 'Type', to be removed soon", - "type": "string" - }, - "type": { - "description": "Type defines the type of attestation contained within the Statement.", - "type": "string" - } - } - } - }, - "attestors": { - "description": "Attestors specified the required attestors (i.e. authorities)", - "type": "array", - "items": { - "type": "object", - "properties": { - "count": { - "description": "Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.", - "type": "integer", - "minimum": 1 - }, - "entries": { - "description": "Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.", - "type": "array", - "items": { - "type": "object", - "properties": { - "annotations": { - "description": "Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "attestor": { - "description": "Attestor is a nested set of Attestor used to specify a more complex set of match authorities.", - "x-kubernetes-preserve-unknown-fields": true - }, - "certificates": { - "description": "Certificates specifies one or more certificates.", - "type": "object", - "properties": { - "cert": { - "description": "Cert is an optional PEM-encoded public certificate.", - "type": "string" - }, - "certChain": { - "description": "CertChain is an optional PEM encoded set of certificates used to verify.", - "type": "string" - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - } - } - }, - "keyless": { - "description": "Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.", - "type": "object", - "properties": { - "additionalExtensions": { - "description": "AdditionalExtensions are certificate-extensions used for keyless signing.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "issuer": { - "description": "Issuer is the certificate issuer used for keyless signing.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "roots": { - "description": "Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.", - "type": "string" - }, - "subject": { - "description": "Subject is the verified identity used for keyless signing, for example the email address.", - "type": "string" - } - } - }, - "keys": { - "description": "Keys specifies one or more public keys.", - "type": "object", - "properties": { - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "kms": { - "description": "KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md", - "type": "string" - }, - "publicKeys": { - "description": "Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "secret": { - "description": "Reference to a Secret resource that contains a public key", - "type": "object", - "required": [ - "name", - "namespace" - ], - "properties": { - "name": { - "description": "Name of the secret. The provided secret must contain a key named cosign.pub.", - "type": "string" - }, - "namespace": { - "description": "Namespace name where the Secret exists.", - "type": "string" - } - } - }, - "signatureAlgorithm": { - "description": "Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.", - "type": "string", - "default": "sha256" - } - } - }, - "repository": { - "description": "Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.", - "type": "string" - } - } - } - } - } - } - }, - "image": { - "description": "Deprecated. Use ImageReferences instead.", - "type": "string" - }, - "imageReferences": { - "description": "ImageReferences is a list of matching image reference patterns. At least one pattern in the\nlist must match the image for the rule to apply. Each image reference consists of a registry\naddress (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.", - "type": "array", - "items": { - "type": "string" - } - }, - "imageRegistryCredentials": { - "description": "ImageRegistryCredentials provides credentials that will be used for authentication with registry.", - "type": "object", - "properties": { - "allowInsecureRegistry": { - "description": "AllowInsecureRegistry allows insecure access to a registry.", - "type": "boolean" - }, - "providers": { - "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", - "type": "array", - "items": { - "description": "ImageRegistryCredentialsProvidersType provides the list of credential providers required.", - "type": "string", - "enum": [ - "default", - "amazon", - "azure", - "google", - "github" - ] - } - }, - "secrets": { - "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "issuer": { - "description": "Deprecated. Use KeylessAttestor instead.", - "type": "string" - }, - "key": { - "description": "Deprecated. Use StaticKeyAttestor instead.", - "type": "string" - }, - "mutateDigest": { - "description": "MutateDigest enables replacement of image tags with digests.\nDefaults to true.", - "type": "boolean", - "default": true - }, - "repository": { - "description": "Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.\nIf specified Repository will override the default OCI image repository configured for the installation.\nThe repository can also be overridden per Attestor or Attestation.", - "type": "string" - }, - "required": { - "description": "Required validates that images are verified i.e. have matched passed a signature or attestation check.", - "type": "boolean", - "default": true - }, - "roots": { - "description": "Deprecated. Use KeylessAttestor instead.", - "type": "string" - }, - "skipImageReferences": { - "description": "SkipImageReferences is a list of matching image reference patterns that should be skipped.\nAt least one pattern in the list must match the image for the rule to be skipped. Each image reference\nconsists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.", - "type": "array", - "items": { - "type": "string" - } - }, - "subject": { - "description": "Deprecated. Use KeylessAttestor instead.", - "type": "string" - }, - "type": { - "description": "Type specifies the method of signature validation. The allowed options\nare Cosign and Notary. By default Cosign is used if a type is not specified.", - "type": "string", - "enum": [ - "Cosign", - "Notary" - ] - }, - "useCache": { - "description": "UseCache enables caching of image verify responses for this rule.", - "type": "boolean", - "default": true - }, - "verifyDigest": { - "description": "VerifyDigest validates that images have a digest.", - "type": "boolean", - "default": true - } - } - } - } - } - } - } - } - }, - "conditions": { - "type": "array", - "items": { - "description": "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}", - "type": "object", - "required": [ - "lastTransitionTime", - "message", - "reason", - "status", - "type" - ], - "properties": { - "lastTransitionTime": { - "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", - "type": "string", - "format": "date-time" - }, - "message": { - "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", - "type": "string", - "maxLength": 32768 - }, - "observedGeneration": { - "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", - "type": "integer", - "format": "int64", - "minimum": 0 - }, - "reason": { - "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", - "type": "string", - "maxLength": 1024, - "minLength": 1, - "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" - }, - "status": { - "description": "status of the condition, one of True, False, Unknown.", - "type": "string", - "enum": [ - "True", - "False", - "Unknown" - ] - }, - "type": { - "description": "type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)", - "type": "string", - "maxLength": 316, - "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" - } - } - } - }, - "ready": { - "description": "Deprecated in favor of Conditions", - "type": "boolean" - }, - "rulecount": { - "description": "RuleCountStatus contains four variables which describes counts for\nvalidate, generate, mutate and verify images rules", - "type": "object", - "required": [ - "generate", - "mutate", - "validate", - "verifyimages" - ], - "properties": { - "generate": { - "description": "Count for generate rules in policy", - "type": "integer" - }, - "mutate": { - "description": "Count for mutate rules in policy", - "type": "integer" - }, - "validate": { - "description": "Count for validate rules in policy", - "type": "integer" - }, - "verifyimages": { - "description": "Count for verify image rules in policy", - "type": "integer" - } - } - }, - "validatingadmissionpolicy": { - "description": "ValidatingAdmissionPolicy contains status information", - "type": "object", - "required": [ - "generated", - "message" - ], - "properties": { - "generated": { - "description": "Generated indicates whether a validating admission policy is generated from the policy or not", - "type": "boolean" - }, - "message": { - "description": "Message is a human readable message indicating details about the generation of validating admission policy\nIt is an empty string when validating admission policy is successfully generated.", - "type": "string" - } - } - } - } - } - }, - "x-kubernetes-group-version-kind": [ { - "group": "kyverno.io", - "kind": "ClusterPolicy", + "group": "networking.k8s.io", + "kind": "WatchEvent", "version": "v1" - } - ] - }, - "io.kyverno.v1.ClusterPolicyList": { - "description": "ClusterPolicyList is a list of ClusterPolicy", - "type": "object", - "required": [ - "items" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string", - "enum": [ - "kyverno.io/v1" - ] }, - "items": { - "description": "List of clusterpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md", - "type": "array", - "items": { - "$ref": "#/components/schemas/io.kyverno.v1.ClusterPolicy" - } + { + "group": "networking.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ClusterPolicyList" - ] + { + "group": "networking.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" }, - "metadata": { - "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "allOf": [ - { - "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" - } - ] - } - }, - "x-kubernetes-group-version-kind": [ { - "group": "kyverno.io", - "kind": "ClusterPolicyList", + "group": "node.k8s.io", + "kind": "WatchEvent", "version": "v1" - } - ] - }, - "io.kyverno.v1.Policy": { - "description": "Policy declares validation, mutation, and generation behaviors for matching resources.\nSee: https://kyverno.io/docs/writing-policies/ for more information.", - "type": "object", - "required": [ - "spec" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string", - "enum": [ - "kyverno.io/v1" - ] }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "Policy" - ] + { + "group": "node.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" }, - "metadata": { - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "allOf": [ - { - "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" - } - ] + { + "group": "node.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" }, - "spec": { - "description": "Spec defines policy behaviors and contains one or more rules.", - "type": "object", - "properties": { - "admission": { - "description": "Admission controls if rules are applied during admission.\nOptional. Default value is \"true\".", - "type": "boolean", - "default": true - }, - "applyRules": { - "description": "ApplyRules controls how rules in a policy are applied. Rule are processed in\nthe order of declaration. When set to `One` processing stops after a rule has\nbeen applied i.e. the rule matches and results in a pass, fail, or error. When\nset to `All` all rules in the policy are processed. The default is `All`.", - "type": "string", - "enum": [ - "All", - "One" - ] - }, - "background": { - "description": "Background controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).", - "type": "boolean", - "default": true - }, - "failurePolicy": { - "description": "FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.\nRules within the same policy share the same failure behavior.\nThis field should not be accessed directly, instead `GetFailurePolicy()` should be used.\nAllowed values are Ignore or Fail. Defaults to Fail.", - "type": "string", - "enum": [ - "Ignore", - "Fail" - ] - }, - "generateExisting": { - "description": "GenerateExisting controls whether to trigger generate rule in existing resources\nIf is set to \"true\" generate rule will be triggered and applied to existing matched resources.\nDefaults to \"false\" if not specified.", - "type": "boolean" - }, - "generateExistingOnPolicyUpdate": { - "description": "Deprecated, use generateExisting instead", - "type": "boolean" - }, - "mutateExistingOnPolicyUpdate": { - "description": "MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.\nDefault value is \"false\".", - "type": "boolean" - }, - "rules": { - "description": "Rules is a list of Rule instances. A Policy contains multiple rules and\neach rule can validate, mutate, or generate resources.", - "type": "array", - "items": { - "description": "Rule defines a validation, mutation, or generation control for matching resources.\nEach rules contains a match declaration to select resources, and an optional exclude\ndeclaration to specify which resources to exclude.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "celPreconditions": { - "description": "CELPreconditions are used to determine if a policy rule should be applied by evaluating a\nset of CEL conditions. It can only be used with the validate.cel subrule", - "type": "array", - "items": { - "description": "MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.", - "type": "object", - "required": [ - "expression", - "name" - ], - "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\n\nRequired.", - "type": "string" - }, - "name": { - "description": "Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\n\nRequired.", - "type": "string" - } - } - } - }, - "context": { - "description": "Context defines variables and data sources that can be used during rule execution.", - "type": "array", - "items": { - "description": "ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.", - "type": "object", - "properties": { - "apiCall": { - "description": "APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.", - "type": "object", - "properties": { - "data": { - "description": "The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.", - "type": "array", - "items": { - "description": "RequestData contains the HTTP POST data", - "type": "object", - "required": [ - "key", - "value" - ], - "properties": { - "key": { - "description": "Key is a unique identifier for the data value", - "type": "string" - }, - "value": { - "description": "Value is the data value", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "method": { - "description": "Method is the HTTP request type (GET or POST).", - "type": "string", - "default": "GET", - "enum": [ - "GET", - "POST" - ] - }, - "service": { - "description": "Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.", - "type": "object", - "required": [ - "url" - ], - "properties": { - "caBundle": { - "description": "CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.", - "type": "string" - }, - "url": { - "description": "URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.", - "type": "string" - } - } - }, - "urlPath": { - "description": "URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.", - "type": "string" - } - } - }, - "configMap": { - "description": "ConfigMap is the ConfigMap reference.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "Name is the ConfigMap name.", - "type": "string" - }, - "namespace": { - "description": "Namespace is the ConfigMap namespace.", - "type": "string" - } - } - }, - "globalReference": { - "description": "GlobalContextEntryReference is a reference to a cached global context entry.", - "type": "object", - "properties": { - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "name": { - "description": "Name of the global context entry", - "type": "string" - } - } - }, - "imageRegistry": { - "description": "ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.", - "type": "object", - "required": [ - "reference" - ], - "properties": { - "imageRegistryCredentials": { - "description": "ImageRegistryCredentials provides credentials that will be used for authentication with registry", - "type": "object", - "properties": { - "allowInsecureRegistry": { - "description": "AllowInsecureRegistry allows insecure access to a registry.", - "type": "boolean" - }, - "providers": { - "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", - "type": "array", - "items": { - "description": "ImageRegistryCredentialsProvidersType provides the list of credential providers required.", - "type": "string", - "enum": [ - "default", - "amazon", - "azure", - "google", - "github" - ] - } - }, - "secrets": { - "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.", - "type": "string" - }, - "reference": { - "description": "Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest", - "type": "string" - } - } - }, - "name": { - "description": "Name is the variable name.", - "type": "string" - }, - "variable": { - "description": "Variable defines an arbitrary JMESPath context variable that can be defined inline.", - "type": "object", - "properties": { - "default": { - "description": "Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil", - "x-kubernetes-preserve-unknown-fields": true - }, - "jmesPath": { - "description": "JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.", - "type": "string" - }, - "value": { - "description": "Value is any arbitrary JSON object representable in YAML or JSON form.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - } - }, - "exclude": { - "description": "ExcludeResources defines when this policy rule should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.", - "type": "object", - "properties": { - "all": { - "description": "All allows specifying resources which will be ANDed", - "type": "array", - "items": { - "description": "ResourceFilter allow users to \"AND\" or \"OR\" between resources", - "type": "object", - "properties": { - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - } - }, - "any": { - "description": "Any allows specifying resources which will be ORed", - "type": "array", - "items": { - "description": "ResourceFilter allow users to \"AND\" or \"OR\" between resources", - "type": "object", - "properties": { - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - } - }, - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - }, - "generate": { - "description": "Generation is used to create new resources.", - "type": "object", - "properties": { - "apiVersion": { - "description": "APIVersion specifies resource apiVersion.", - "type": "string" - }, - "clone": { - "description": "Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.", - "type": "object", - "properties": { - "name": { - "description": "Name specifies name of the resource.", - "type": "string" - }, - "namespace": { - "description": "Namespace specifies source resource namespace.", - "type": "string" - } - } - }, - "cloneList": { - "description": "CloneList specifies the list of source resource used to populate each generated resource.", - "type": "object", - "properties": { - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "namespace": { - "description": "Namespace specifies source resource namespace.", - "type": "string" - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "data": { - "description": "Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.", - "x-kubernetes-preserve-unknown-fields": true - }, - "kind": { - "description": "Kind specifies resource kind.", - "type": "string" - }, - "name": { - "description": "Name specifies the resource name.", - "type": "string" - }, - "namespace": { - "description": "Namespace specifies resource namespace.", - "type": "string" - }, - "orphanDownstreamOnPolicyDelete": { - "description": "OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nSee https://kyverno.io/docs/writing-policies/generate/#data-examples.\nDefaults to \"false\" if not specified.", - "type": "boolean" - }, - "synchronize": { - "description": "Synchronize controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.", - "type": "boolean" - }, - "uid": { - "description": "UID specifies the resource uid.", - "type": "string" - } - } - }, - "imageExtractors": { - "description": "ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.\nThis config is only valid for verifyImages rules.", - "type": "object", - "additionalProperties": { - "type": "array", - "items": { - "type": "object", - "required": [ - "path" - ], - "properties": { - "jmesPath": { - "description": "JMESPath is an optional JMESPath expression to apply to the image value.\nThis is useful when the extracted image begins with a prefix like 'docker://'.\nThe 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').\nNote - Image digest mutation may not be used when applying a JMESPAth to an image.", - "type": "string" - }, - "key": { - "description": "Key is an optional name of the field within 'path' that will be used to uniquely identify an image.\nNote - this field MUST be unique.", - "type": "string" - }, - "name": { - "description": "Name is the entry the image will be available under 'images.' in the context.\nIf this field is not defined, image entries will appear under 'images.custom'.", - "type": "string" - }, - "path": { - "description": "Path is the path to the object containing the image field in a custom resource.\nIt should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.\nWildcard keys are expanded in case of arrays or objects.", - "type": "string" - }, - "value": { - "description": "Value is an optional name of the field within 'path' that points to the image URI.\nThis is useful when a custom 'key' is also defined.", - "type": "string" - } - } - } - } - }, - "match": { - "description": "MatchResources defines when this policy rule should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.", - "type": "object", - "properties": { - "all": { - "description": "All allows specifying resources which will be ANDed", - "type": "array", - "items": { - "description": "ResourceFilter allow users to \"AND\" or \"OR\" between resources", - "type": "object", - "properties": { - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - } - }, - "any": { - "description": "Any allows specifying resources which will be ORed", - "type": "array", - "items": { - "description": "ResourceFilter allow users to \"AND\" or \"OR\" between resources", - "type": "object", - "properties": { - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - } - }, - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - }, - "mutate": { - "description": "Mutation is used to modify matching resources.", - "type": "object", - "properties": { - "foreach": { - "description": "ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.", - "type": "array", - "items": { - "description": "ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.", - "type": "object", - "properties": { - "context": { - "description": "Context defines variables and data sources that can be used during rule execution.", - "type": "array", - "items": { - "description": "ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.", - "type": "object", - "properties": { - "apiCall": { - "description": "APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.", - "type": "object", - "properties": { - "data": { - "description": "The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.", - "type": "array", - "items": { - "description": "RequestData contains the HTTP POST data", - "type": "object", - "required": [ - "key", - "value" - ], - "properties": { - "key": { - "description": "Key is a unique identifier for the data value", - "type": "string" - }, - "value": { - "description": "Value is the data value", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "method": { - "description": "Method is the HTTP request type (GET or POST).", - "type": "string", - "default": "GET", - "enum": [ - "GET", - "POST" - ] - }, - "service": { - "description": "Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.", - "type": "object", - "required": [ - "url" - ], - "properties": { - "caBundle": { - "description": "CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.", - "type": "string" - }, - "url": { - "description": "URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.", - "type": "string" - } - } - }, - "urlPath": { - "description": "URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.", - "type": "string" - } - } - }, - "configMap": { - "description": "ConfigMap is the ConfigMap reference.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "Name is the ConfigMap name.", - "type": "string" - }, - "namespace": { - "description": "Namespace is the ConfigMap namespace.", - "type": "string" - } - } - }, - "globalReference": { - "description": "GlobalContextEntryReference is a reference to a cached global context entry.", - "type": "object", - "properties": { - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "name": { - "description": "Name of the global context entry", - "type": "string" - } - } - }, - "imageRegistry": { - "description": "ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.", - "type": "object", - "required": [ - "reference" - ], - "properties": { - "imageRegistryCredentials": { - "description": "ImageRegistryCredentials provides credentials that will be used for authentication with registry", - "type": "object", - "properties": { - "allowInsecureRegistry": { - "description": "AllowInsecureRegistry allows insecure access to a registry.", - "type": "boolean" - }, - "providers": { - "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", - "type": "array", - "items": { - "description": "ImageRegistryCredentialsProvidersType provides the list of credential providers required.", - "type": "string", - "enum": [ - "default", - "amazon", - "azure", - "google", - "github" - ] - } - }, - "secrets": { - "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.", - "type": "string" - }, - "reference": { - "description": "Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest", - "type": "string" - } - } - }, - "name": { - "description": "Name is the variable name.", - "type": "string" - }, - "variable": { - "description": "Variable defines an arbitrary JMESPath context variable that can be defined inline.", - "type": "object", - "properties": { - "default": { - "description": "Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil", - "x-kubernetes-preserve-unknown-fields": true - }, - "jmesPath": { - "description": "JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.", - "type": "string" - }, - "value": { - "description": "Value is any arbitrary JSON object representable in YAML or JSON form.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - } - }, - "foreach": { - "description": "Foreach declares a nested foreach iterator", - "x-kubernetes-preserve-unknown-fields": true - }, - "list": { - "description": "List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.", - "type": "string" - }, - "order": { - "description": "Order defines the iteration order on the list.\nCan be Ascending to iterate from first to last element or Descending to iterate in from last to first element.", - "type": "string", - "enum": [ - "Ascending", - "Descending" - ] - }, - "patchStrategicMerge": { - "description": "PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.", - "x-kubernetes-preserve-unknown-fields": true - }, - "patchesJson6902": { - "description": "PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.", - "type": "string" - }, - "preconditions": { - "description": "AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/", - "type": "object", - "properties": { - "all": { - "description": "AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "any": { - "description": "AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - }, - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "patchStrategicMerge": { - "description": "PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.", - "x-kubernetes-preserve-unknown-fields": true - }, - "patchesJson6902": { - "description": "PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.", - "type": "string" - }, - "targets": { - "description": "Targets defines the target resources to be mutated.", - "type": "array", - "items": { - "description": "TargetResourceSpec defines targets for mutating existing resources.", - "type": "object", - "properties": { - "apiVersion": { - "description": "APIVersion specifies resource apiVersion.", - "type": "string" - }, - "context": { - "description": "Context defines variables and data sources that can be used during rule execution.", - "type": "array", - "items": { - "description": "ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.", - "type": "object", - "properties": { - "apiCall": { - "description": "APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.", - "type": "object", - "properties": { - "data": { - "description": "The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.", - "type": "array", - "items": { - "description": "RequestData contains the HTTP POST data", - "type": "object", - "required": [ - "key", - "value" - ], - "properties": { - "key": { - "description": "Key is a unique identifier for the data value", - "type": "string" - }, - "value": { - "description": "Value is the data value", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "method": { - "description": "Method is the HTTP request type (GET or POST).", - "type": "string", - "default": "GET", - "enum": [ - "GET", - "POST" - ] - }, - "service": { - "description": "Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.", - "type": "object", - "required": [ - "url" - ], - "properties": { - "caBundle": { - "description": "CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.", - "type": "string" - }, - "url": { - "description": "URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.", - "type": "string" - } - } - }, - "urlPath": { - "description": "URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.", - "type": "string" - } - } - }, - "configMap": { - "description": "ConfigMap is the ConfigMap reference.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "Name is the ConfigMap name.", - "type": "string" - }, - "namespace": { - "description": "Namespace is the ConfigMap namespace.", - "type": "string" - } - } - }, - "globalReference": { - "description": "GlobalContextEntryReference is a reference to a cached global context entry.", - "type": "object", - "properties": { - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "name": { - "description": "Name of the global context entry", - "type": "string" - } - } - }, - "imageRegistry": { - "description": "ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.", - "type": "object", - "required": [ - "reference" - ], - "properties": { - "imageRegistryCredentials": { - "description": "ImageRegistryCredentials provides credentials that will be used for authentication with registry", - "type": "object", - "properties": { - "allowInsecureRegistry": { - "description": "AllowInsecureRegistry allows insecure access to a registry.", - "type": "boolean" - }, - "providers": { - "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", - "type": "array", - "items": { - "description": "ImageRegistryCredentialsProvidersType provides the list of credential providers required.", - "type": "string", - "enum": [ - "default", - "amazon", - "azure", - "google", - "github" - ] - } - }, - "secrets": { - "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.", - "type": "string" - }, - "reference": { - "description": "Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest", - "type": "string" - } - } - }, - "name": { - "description": "Name is the variable name.", - "type": "string" - }, - "variable": { - "description": "Variable defines an arbitrary JMESPath context variable that can be defined inline.", - "type": "object", - "properties": { - "default": { - "description": "Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil", - "x-kubernetes-preserve-unknown-fields": true - }, - "jmesPath": { - "description": "JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.", - "type": "string" - }, - "value": { - "description": "Value is any arbitrary JSON object representable in YAML or JSON form.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - } - }, - "kind": { - "description": "Kind specifies resource kind.", - "type": "string" - }, - "name": { - "description": "Name specifies the resource name.", - "type": "string" - }, - "namespace": { - "description": "Namespace specifies resource namespace.", - "type": "string" - }, - "preconditions": { - "description": "Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/", - "x-kubernetes-preserve-unknown-fields": true - }, - "uid": { - "description": "UID specifies the resource uid.", - "type": "string" - } - } - } - } - } - }, - "name": { - "description": "Name is a label to identify the rule, It must be unique within the policy.", - "type": "string", - "maxLength": 63 - }, - "preconditions": { - "description": "Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/", - "x-kubernetes-preserve-unknown-fields": true - }, - "skipBackgroundRequests": { - "description": "SkipBackgroundRequests bypasses admission requests that are sent by the background controller.\nThe default value is set to \"true\", it must be set to \"false\" to apply\ngenerate and mutateExisting rules to those requests.", - "type": "boolean", - "default": true - }, - "validate": { - "description": "Validation is used to validate matching resources.", - "type": "object", - "properties": { - "anyPattern": { - "description": "AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.", - "x-kubernetes-preserve-unknown-fields": true - }, - "cel": { - "description": "CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).", - "type": "object", - "properties": { - "auditAnnotations": { - "description": "AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.", - "type": "array", - "items": { - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", - "type": "object", - "required": [ - "key", - "valueExpression" - ], - "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\n\nRequired.", - "type": "string" - }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\n\nRequired.", - "type": "string" - } - } - } - }, - "expressions": { - "description": "Expressions is a list of CELExpression types.", - "type": "array", - "items": { - "description": "Validation specifies the CEL expression which is used to apply the validation.", - "type": "object", - "required": [ - "expression" - ], - "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", - "type": "string" - }, - "message": { - "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".", - "type": "string" - }, - "messageExpression": { - "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"", - "type": "string" - }, - "reason": { - "description": "Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.", - "type": "string" - } - } - } - }, - "paramKind": { - "description": "ParamKind is a tuple of Group Kind and Version.", - "type": "object", - "properties": { - "apiVersion": { - "description": "APIVersion is the API group version the resources belong to.\nIn format of \"group/version\".\nRequired.", - "type": "string" - }, - "kind": { - "description": "Kind is the API kind the resources belong to.\nRequired.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - }, - "paramRef": { - "description": "ParamRef references a parameter resource.", - "type": "object", - "properties": { - "name": { - "description": "`name` is the name of the resource being referenced.\n\n\n`name` and `selector` are mutually exclusive properties. If one is set,\nthe other must be unset.", - "type": "string" - }, - "namespace": { - "description": "namespace is the namespace of the referenced resource. Allows limiting\nthe search for params to a specific namespace. Applies to both `name` and\n`selector` fields.\n\n\nA per-namespace parameter may be used by specifying a namespace-scoped\n`paramKind` in the policy and leaving this field empty.\n\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this\nfield results in a configuration error.\n\n\n- If `paramKind` is namespace-scoped, the namespace of the object being\nevaluated for admission will be used when this field is left unset. Take\ncare that if this is left empty the binding must not match any cluster-scoped\nresources, which will result in an error.", - "type": "string" - }, - "parameterNotFoundAction": { - "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource\nexists, and name or selector is valid, but there are no parameters\nmatched by the binding. If the value is set to `Allow`, then no\nmatched parameters will be treated as successful validation by the binding.\nIf set to `Deny`, then no matched parameters will be subject to the\n`failurePolicy` of the policy.\n\n\nAllowed values are `Allow` or `Deny`\nDefault to `Deny`", - "type": "string" - }, - "selector": { - "description": "selector can be used to match multiple param objects based on their labels.\nSupply selector: {} to match all resources of the ParamKind.\n\n\nIf multiple params are found, they are all evaluated with the policy expressions\nand the results are ANDed together.\n\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - }, - "x-kubernetes-map-type": "atomic" - }, - "variables": { - "description": "Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy.", - "type": "array", - "items": { - "description": "Variable is the definition of a variable that is used for composition.", - "type": "object", - "required": [ - "expression", - "name" - ], - "properties": { - "expression": { - "description": "Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.", - "type": "string" - }, - "name": { - "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`", - "type": "string" - } - } - } - } - } - }, - "deny": { - "description": "Deny defines conditions used to pass or fail a validation rule.", - "type": "object", - "properties": { - "conditions": { - "description": "Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules", - "x-kubernetes-preserve-unknown-fields": true - } - } - }, - "foreach": { - "description": "ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.", - "type": "array", - "items": { - "description": "ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.", - "type": "object", - "properties": { - "anyPattern": { - "description": "AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.", - "x-kubernetes-preserve-unknown-fields": true - }, - "context": { - "description": "Context defines variables and data sources that can be used during rule execution.", - "type": "array", - "items": { - "description": "ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.", - "type": "object", - "properties": { - "apiCall": { - "description": "APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.", - "type": "object", - "properties": { - "data": { - "description": "The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.", - "type": "array", - "items": { - "description": "RequestData contains the HTTP POST data", - "type": "object", - "required": [ - "key", - "value" - ], - "properties": { - "key": { - "description": "Key is a unique identifier for the data value", - "type": "string" - }, - "value": { - "description": "Value is the data value", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "method": { - "description": "Method is the HTTP request type (GET or POST).", - "type": "string", - "default": "GET", - "enum": [ - "GET", - "POST" - ] - }, - "service": { - "description": "Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.", - "type": "object", - "required": [ - "url" - ], - "properties": { - "caBundle": { - "description": "CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.", - "type": "string" - }, - "url": { - "description": "URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.", - "type": "string" - } - } - }, - "urlPath": { - "description": "URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.", - "type": "string" - } - } - }, - "configMap": { - "description": "ConfigMap is the ConfigMap reference.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "Name is the ConfigMap name.", - "type": "string" - }, - "namespace": { - "description": "Namespace is the ConfigMap namespace.", - "type": "string" - } - } - }, - "globalReference": { - "description": "GlobalContextEntryReference is a reference to a cached global context entry.", - "type": "object", - "properties": { - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "name": { - "description": "Name of the global context entry", - "type": "string" - } - } - }, - "imageRegistry": { - "description": "ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.", - "type": "object", - "required": [ - "reference" - ], - "properties": { - "imageRegistryCredentials": { - "description": "ImageRegistryCredentials provides credentials that will be used for authentication with registry", - "type": "object", - "properties": { - "allowInsecureRegistry": { - "description": "AllowInsecureRegistry allows insecure access to a registry.", - "type": "boolean" - }, - "providers": { - "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", - "type": "array", - "items": { - "description": "ImageRegistryCredentialsProvidersType provides the list of credential providers required.", - "type": "string", - "enum": [ - "default", - "amazon", - "azure", - "google", - "github" - ] - } - }, - "secrets": { - "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.", - "type": "string" - }, - "reference": { - "description": "Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest", - "type": "string" - } - } - }, - "name": { - "description": "Name is the variable name.", - "type": "string" - }, - "variable": { - "description": "Variable defines an arbitrary JMESPath context variable that can be defined inline.", - "type": "object", - "properties": { - "default": { - "description": "Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil", - "x-kubernetes-preserve-unknown-fields": true - }, - "jmesPath": { - "description": "JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.", - "type": "string" - }, - "value": { - "description": "Value is any arbitrary JSON object representable in YAML or JSON form.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - } - }, - "deny": { - "description": "Deny defines conditions used to pass or fail a validation rule.", - "type": "object", - "properties": { - "conditions": { - "description": "Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules", - "x-kubernetes-preserve-unknown-fields": true - } - } - }, - "elementScope": { - "description": "ElementScope specifies whether to use the current list element as the scope for validation. Defaults to \"true\" if not specified.\nWhen set to \"false\", \"request.object\" is used as the validation scope within the foreach\nblock to allow referencing other elements in the subtree.", - "type": "boolean" - }, - "foreach": { - "description": "Foreach declares a nested foreach iterator", - "x-kubernetes-preserve-unknown-fields": true - }, - "list": { - "description": "List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.", - "type": "string" - }, - "pattern": { - "description": "Pattern specifies an overlay-style pattern used to check resources.", - "x-kubernetes-preserve-unknown-fields": true - }, - "preconditions": { - "description": "AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/", - "type": "object", - "properties": { - "all": { - "description": "AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "any": { - "description": "AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - }, - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "manifests": { - "description": "Manifest specifies conditions for manifest verification", - "type": "object", - "properties": { - "annotationDomain": { - "description": "AnnotationDomain is custom domain of annotation for message and signature. Default is \"cosign.sigstore.dev\".", - "type": "string" - }, - "attestors": { - "description": "Attestors specified the required attestors (i.e. authorities)", - "type": "array", - "items": { - "type": "object", - "properties": { - "count": { - "description": "Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.", - "type": "integer", - "minimum": 1 - }, - "entries": { - "description": "Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.", - "type": "array", - "items": { - "type": "object", - "properties": { - "annotations": { - "description": "Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "attestor": { - "description": "Attestor is a nested set of Attestor used to specify a more complex set of match authorities.", - "x-kubernetes-preserve-unknown-fields": true - }, - "certificates": { - "description": "Certificates specifies one or more certificates.", - "type": "object", - "properties": { - "cert": { - "description": "Cert is an optional PEM-encoded public certificate.", - "type": "string" - }, - "certChain": { - "description": "CertChain is an optional PEM encoded set of certificates used to verify.", - "type": "string" - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - } - } - }, - "keyless": { - "description": "Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.", - "type": "object", - "properties": { - "additionalExtensions": { - "description": "AdditionalExtensions are certificate-extensions used for keyless signing.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "issuer": { - "description": "Issuer is the certificate issuer used for keyless signing.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "roots": { - "description": "Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.", - "type": "string" - }, - "subject": { - "description": "Subject is the verified identity used for keyless signing, for example the email address.", - "type": "string" - } - } - }, - "keys": { - "description": "Keys specifies one or more public keys.", - "type": "object", - "properties": { - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "kms": { - "description": "KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md", - "type": "string" - }, - "publicKeys": { - "description": "Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "secret": { - "description": "Reference to a Secret resource that contains a public key", - "type": "object", - "required": [ - "name", - "namespace" - ], - "properties": { - "name": { - "description": "Name of the secret. The provided secret must contain a key named cosign.pub.", - "type": "string" - }, - "namespace": { - "description": "Namespace name where the Secret exists.", - "type": "string" - } - } - }, - "signatureAlgorithm": { - "description": "Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.", - "type": "string", - "default": "sha256" - } - } - }, - "repository": { - "description": "Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.", - "type": "string" - } - } - } - } - } - } - }, - "dryRun": { - "description": "DryRun configuration", - "type": "object", - "properties": { - "enable": { - "type": "boolean" - }, - "namespace": { - "type": "string" - } - } - }, - "ignoreFields": { - "description": "Fields which will be ignored while comparing manifests.", - "type": "array", - "items": { - "type": "object", - "properties": { - "fields": { - "type": "array", - "items": { - "type": "string" - } - }, - "objects": { - "type": "array", - "items": { - "type": "object", - "properties": { - "group": { - "type": "string" - }, - "kind": { - "type": "string" - }, - "name": { - "type": "string" - }, - "namespace": { - "type": "string" - }, - "version": { - "type": "string" - } - } - } - } - } - } - }, - "repository": { - "description": "Repository is an optional alternate OCI repository to use for resource bundle reference.\nThe repository can be overridden per Attestor or Attestation.", - "type": "string" - } - } - }, - "message": { - "description": "Message specifies a custom message to be displayed on failure.", - "type": "string" - }, - "pattern": { - "description": "Pattern specifies an overlay-style pattern used to check resources.", - "x-kubernetes-preserve-unknown-fields": true - }, - "podSecurity": { - "description": "PodSecurity applies exemptions for Kubernetes Pod Security admission\nby specifying exclusions for Pod Security Standards controls.", - "type": "object", - "properties": { - "exclude": { - "description": "Exclude specifies the Pod Security Standard controls to be excluded.", - "type": "array", - "items": { - "description": "PodSecurityStandard specifies the Pod Security Standard controls to be excluded.", - "type": "object", - "required": [ - "controlName" - ], - "properties": { - "controlName": { - "description": "ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/", - "type": "string", - "enum": [ - "HostProcess", - "Host Namespaces", - "Privileged Containers", - "Capabilities", - "HostPath Volumes", - "Host Ports", - "AppArmor", - "SELinux", - "/proc Mount Type", - "Seccomp", - "Sysctls", - "Volume Types", - "Privilege Escalation", - "Running as Non-root", - "Running as Non-root user" - ] - }, - "images": { - "description": "Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.", - "type": "array", - "items": { - "type": "string" - } - }, - "restrictedField": { - "description": "RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.", - "type": "string" - }, - "values": { - "description": "Values defines the allowed values that can be excluded.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "level": { - "description": "Level defines the Pod Security Standard level to be applied to workloads.\nAllowed values are privileged, baseline, and restricted.", - "type": "string", - "enum": [ - "privileged", - "baseline", - "restricted" - ] - }, - "version": { - "description": "Version defines the Pod Security Standard versions that Kubernetes supports.\nAllowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.", - "type": "string", - "enum": [ - "v1.19", - "v1.20", - "v1.21", - "v1.22", - "v1.23", - "v1.24", - "v1.25", - "v1.26", - "v1.27", - "v1.28", - "v1.29", - "latest" - ] - } - } - } - } - }, - "verifyImages": { - "description": "VerifyImages is used to verify image signatures and mutate them to add a digest", - "type": "array", - "items": { - "description": "ImageVerification validates that images that match the specified pattern\nare signed with the supplied public key. Once the image is verified it is\nmutated to include the SHA digest retrieved during the registration.", - "type": "object", - "properties": { - "additionalExtensions": { - "description": "Deprecated.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "annotations": { - "description": "Deprecated. Use annotations per Attestor instead.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "attestations": { - "description": "Attestations are optional checks for signed in-toto Statements used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statement declarations.", - "type": "array", - "items": { - "description": "Attestation are checks for signed in-toto Statements that are used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statements.", - "type": "object", - "properties": { - "attestors": { - "description": "Attestors specify the required attestors (i.e. authorities).", - "type": "array", - "items": { - "type": "object", - "properties": { - "count": { - "description": "Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.", - "type": "integer", - "minimum": 1 - }, - "entries": { - "description": "Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.", - "type": "array", - "items": { - "type": "object", - "properties": { - "annotations": { - "description": "Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "attestor": { - "description": "Attestor is a nested set of Attestor used to specify a more complex set of match authorities.", - "x-kubernetes-preserve-unknown-fields": true - }, - "certificates": { - "description": "Certificates specifies one or more certificates.", - "type": "object", - "properties": { - "cert": { - "description": "Cert is an optional PEM-encoded public certificate.", - "type": "string" - }, - "certChain": { - "description": "CertChain is an optional PEM encoded set of certificates used to verify.", - "type": "string" - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - } - } - }, - "keyless": { - "description": "Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.", - "type": "object", - "properties": { - "additionalExtensions": { - "description": "AdditionalExtensions are certificate-extensions used for keyless signing.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "issuer": { - "description": "Issuer is the certificate issuer used for keyless signing.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "roots": { - "description": "Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.", - "type": "string" - }, - "subject": { - "description": "Subject is the verified identity used for keyless signing, for example the email address.", - "type": "string" - } - } - }, - "keys": { - "description": "Keys specifies one or more public keys.", - "type": "object", - "properties": { - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "kms": { - "description": "KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md", - "type": "string" - }, - "publicKeys": { - "description": "Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "secret": { - "description": "Reference to a Secret resource that contains a public key", - "type": "object", - "required": [ - "name", - "namespace" - ], - "properties": { - "name": { - "description": "Name of the secret. The provided secret must contain a key named cosign.pub.", - "type": "string" - }, - "namespace": { - "description": "Namespace name where the Secret exists.", - "type": "string" - } - } - }, - "signatureAlgorithm": { - "description": "Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.", - "type": "string", - "default": "sha256" - } - } - }, - "repository": { - "description": "Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.", - "type": "string" - } - } - } - } - } - } - }, - "conditions": { - "description": "Conditions are used to verify attributes within a Predicate. If no Conditions are specified\nthe attestation check is satisfied as long there are predicates that match the predicate type.", - "type": "array", - "items": { - "description": "AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.\nAnyConditions get fulfilled when at least one of its sub-conditions passes.\nAllConditions get fulfilled only when all of its sub-conditions pass.", - "type": "object", - "properties": { - "all": { - "description": "AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "any": { - "description": "AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - } - } - }, - "predicateType": { - "description": "Deprecated in favour of 'Type', to be removed soon", - "type": "string" - }, - "type": { - "description": "Type defines the type of attestation contained within the Statement.", - "type": "string" - } - } - } - }, - "attestors": { - "description": "Attestors specified the required attestors (i.e. authorities)", - "type": "array", - "items": { - "type": "object", - "properties": { - "count": { - "description": "Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.", - "type": "integer", - "minimum": 1 - }, - "entries": { - "description": "Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.", - "type": "array", - "items": { - "type": "object", - "properties": { - "annotations": { - "description": "Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "attestor": { - "description": "Attestor is a nested set of Attestor used to specify a more complex set of match authorities.", - "x-kubernetes-preserve-unknown-fields": true - }, - "certificates": { - "description": "Certificates specifies one or more certificates.", - "type": "object", - "properties": { - "cert": { - "description": "Cert is an optional PEM-encoded public certificate.", - "type": "string" - }, - "certChain": { - "description": "CertChain is an optional PEM encoded set of certificates used to verify.", - "type": "string" - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - } - } - }, - "keyless": { - "description": "Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.", - "type": "object", - "properties": { - "additionalExtensions": { - "description": "AdditionalExtensions are certificate-extensions used for keyless signing.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "issuer": { - "description": "Issuer is the certificate issuer used for keyless signing.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "roots": { - "description": "Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.", - "type": "string" - }, - "subject": { - "description": "Subject is the verified identity used for keyless signing, for example the email address.", - "type": "string" - } - } - }, - "keys": { - "description": "Keys specifies one or more public keys.", - "type": "object", - "properties": { - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "kms": { - "description": "KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md", - "type": "string" - }, - "publicKeys": { - "description": "Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "secret": { - "description": "Reference to a Secret resource that contains a public key", - "type": "object", - "required": [ - "name", - "namespace" - ], - "properties": { - "name": { - "description": "Name of the secret. The provided secret must contain a key named cosign.pub.", - "type": "string" - }, - "namespace": { - "description": "Namespace name where the Secret exists.", - "type": "string" - } - } - }, - "signatureAlgorithm": { - "description": "Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.", - "type": "string", - "default": "sha256" - } - } - }, - "repository": { - "description": "Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.", - "type": "string" - } - } - } - } - } - } - }, - "image": { - "description": "Deprecated. Use ImageReferences instead.", - "type": "string" - }, - "imageReferences": { - "description": "ImageReferences is a list of matching image reference patterns. At least one pattern in the\nlist must match the image for the rule to apply. Each image reference consists of a registry\naddress (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.", - "type": "array", - "items": { - "type": "string" - } - }, - "imageRegistryCredentials": { - "description": "ImageRegistryCredentials provides credentials that will be used for authentication with registry.", - "type": "object", - "properties": { - "allowInsecureRegistry": { - "description": "AllowInsecureRegistry allows insecure access to a registry.", - "type": "boolean" - }, - "providers": { - "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", - "type": "array", - "items": { - "description": "ImageRegistryCredentialsProvidersType provides the list of credential providers required.", - "type": "string", - "enum": [ - "default", - "amazon", - "azure", - "google", - "github" - ] - } - }, - "secrets": { - "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "issuer": { - "description": "Deprecated. Use KeylessAttestor instead.", - "type": "string" - }, - "key": { - "description": "Deprecated. Use StaticKeyAttestor instead.", - "type": "string" - }, - "mutateDigest": { - "description": "MutateDigest enables replacement of image tags with digests.\nDefaults to true.", - "type": "boolean", - "default": true - }, - "repository": { - "description": "Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.\nIf specified Repository will override the default OCI image repository configured for the installation.\nThe repository can also be overridden per Attestor or Attestation.", - "type": "string" - }, - "required": { - "description": "Required validates that images are verified i.e. have matched passed a signature or attestation check.", - "type": "boolean", - "default": true - }, - "roots": { - "description": "Deprecated. Use KeylessAttestor instead.", - "type": "string" - }, - "skipImageReferences": { - "description": "SkipImageReferences is a list of matching image reference patterns that should be skipped.\nAt least one pattern in the list must match the image for the rule to be skipped. Each image reference\nconsists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.", - "type": "array", - "items": { - "type": "string" - } - }, - "subject": { - "description": "Deprecated. Use KeylessAttestor instead.", - "type": "string" - }, - "type": { - "description": "Type specifies the method of signature validation. The allowed options\nare Cosign and Notary. By default Cosign is used if a type is not specified.", - "type": "string", - "enum": [ - "Cosign", - "Notary" - ] - }, - "useCache": { - "description": "UseCache enables caching of image verify responses for this rule.", - "type": "boolean", - "default": true - }, - "verifyDigest": { - "description": "VerifyDigest validates that images have a digest.", - "type": "boolean", - "default": true - } - } - } - } - } - } - }, - "schemaValidation": { - "description": "Deprecated.", - "type": "boolean" - }, - "useServerSideApply": { - "description": "UseServerSideApply controls whether to use server-side apply for generate rules\nIf is set to \"true\" create & update for generate rules will use apply instead of create/update.\nDefaults to \"false\" if not specified.", - "type": "boolean" - }, - "validationFailureAction": { - "description": "ValidationFailureAction defines if a validation policy rule violation should block\nthe admission review request (enforce), or allow (audit) the admission review request\nand report an error in a policy report. Optional.\nAllowed values are audit or enforce. The default value is \"Audit\".", - "type": "string", - "default": "Audit", - "enum": [ - "audit", - "enforce", - "Audit", - "Enforce" - ] - }, - "validationFailureActionOverrides": { - "description": "ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction\nnamespace-wise. It overrides ValidationFailureAction for the specified namespaces.", - "type": "array", - "items": { - "type": "object", - "properties": { - "action": { - "description": "ValidationFailureAction defines the policy validation failure action", - "type": "string", - "enum": [ - "audit", - "enforce", - "Audit", - "Enforce" - ] - }, - "namespaceSelector": { - "description": "A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "webhookConfiguration": { - "description": "WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.\nRequires Kubernetes 1.27 or later.", - "type": "object", - "properties": { - "matchConditions": { - "description": "MatchCondition configures admission webhook matchConditions.", - "type": "array", - "items": { - "description": "MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.", - "type": "object", - "required": [ - "expression", - "name" - ], - "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\n\nRequired.", - "type": "string" - }, - "name": { - "description": "Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\n\nRequired.", - "type": "string" - } - } - } - } - } - }, - "webhookTimeoutSeconds": { - "description": "WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.", - "type": "integer", - "format": "int32" - } - } + { + "group": "policy", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "policy", + "kind": "WatchEvent", + "version": "v1beta1" }, - "status": { - "description": "Deprecated. Policy metrics are available via the metrics endpoint", - "type": "object", - "required": [ - "ready" - ], - "properties": { - "autogen": { - "description": "AutogenStatus contains autogen status information.", - "type": "object", - "properties": { - "rules": { - "description": "Rules is a list of Rule instances. It contains auto generated rules added for pod controllers", - "type": "array", - "items": { - "description": "Rule defines a validation, mutation, or generation control for matching resources.\nEach rules contains a match declaration to select resources, and an optional exclude\ndeclaration to specify which resources to exclude.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "celPreconditions": { - "description": "CELPreconditions are used to determine if a policy rule should be applied by evaluating a\nset of CEL conditions. It can only be used with the validate.cel subrule", - "type": "array", - "items": { - "description": "MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.", - "type": "object", - "required": [ - "expression", - "name" - ], - "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\n\nRequired.", - "type": "string" - }, - "name": { - "description": "Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\n\nRequired.", - "type": "string" - } - } - } - }, - "context": { - "description": "Context defines variables and data sources that can be used during rule execution.", - "type": "array", - "items": { - "description": "ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.", - "type": "object", - "properties": { - "apiCall": { - "description": "APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.", - "type": "object", - "properties": { - "data": { - "description": "The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.", - "type": "array", - "items": { - "description": "RequestData contains the HTTP POST data", - "type": "object", - "required": [ - "key", - "value" - ], - "properties": { - "key": { - "description": "Key is a unique identifier for the data value", - "type": "string" - }, - "value": { - "description": "Value is the data value", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "method": { - "description": "Method is the HTTP request type (GET or POST).", - "type": "string", - "default": "GET", - "enum": [ - "GET", - "POST" - ] - }, - "service": { - "description": "Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.", - "type": "object", - "required": [ - "url" - ], - "properties": { - "caBundle": { - "description": "CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.", - "type": "string" - }, - "url": { - "description": "URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.", - "type": "string" - } - } - }, - "urlPath": { - "description": "URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.", - "type": "string" - } - } - }, - "configMap": { - "description": "ConfigMap is the ConfigMap reference.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "Name is the ConfigMap name.", - "type": "string" - }, - "namespace": { - "description": "Namespace is the ConfigMap namespace.", - "type": "string" - } - } - }, - "globalReference": { - "description": "GlobalContextEntryReference is a reference to a cached global context entry.", - "type": "object", - "properties": { - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "name": { - "description": "Name of the global context entry", - "type": "string" - } - } - }, - "imageRegistry": { - "description": "ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.", - "type": "object", - "required": [ - "reference" - ], - "properties": { - "imageRegistryCredentials": { - "description": "ImageRegistryCredentials provides credentials that will be used for authentication with registry", - "type": "object", - "properties": { - "allowInsecureRegistry": { - "description": "AllowInsecureRegistry allows insecure access to a registry.", - "type": "boolean" - }, - "providers": { - "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", - "type": "array", - "items": { - "description": "ImageRegistryCredentialsProvidersType provides the list of credential providers required.", - "type": "string", - "enum": [ - "default", - "amazon", - "azure", - "google", - "github" - ] - } - }, - "secrets": { - "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.", - "type": "string" - }, - "reference": { - "description": "Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest", - "type": "string" - } - } - }, - "name": { - "description": "Name is the variable name.", - "type": "string" - }, - "variable": { - "description": "Variable defines an arbitrary JMESPath context variable that can be defined inline.", - "type": "object", - "properties": { - "default": { - "description": "Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil", - "x-kubernetes-preserve-unknown-fields": true - }, - "jmesPath": { - "description": "JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.", - "type": "string" - }, - "value": { - "description": "Value is any arbitrary JSON object representable in YAML or JSON form.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - } - }, - "exclude": { - "description": "ExcludeResources defines when this policy rule should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.", - "type": "object", - "properties": { - "all": { - "description": "All allows specifying resources which will be ANDed", - "type": "array", - "items": { - "description": "ResourceFilter allow users to \"AND\" or \"OR\" between resources", - "type": "object", - "properties": { - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - } - }, - "any": { - "description": "Any allows specifying resources which will be ORed", - "type": "array", - "items": { - "description": "ResourceFilter allow users to \"AND\" or \"OR\" between resources", - "type": "object", - "properties": { - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - } - }, - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - }, - "generate": { - "description": "Generation is used to create new resources.", - "type": "object", - "properties": { - "apiVersion": { - "description": "APIVersion specifies resource apiVersion.", - "type": "string" - }, - "clone": { - "description": "Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.", - "type": "object", - "properties": { - "name": { - "description": "Name specifies name of the resource.", - "type": "string" - }, - "namespace": { - "description": "Namespace specifies source resource namespace.", - "type": "string" - } - } - }, - "cloneList": { - "description": "CloneList specifies the list of source resource used to populate each generated resource.", - "type": "object", - "properties": { - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "namespace": { - "description": "Namespace specifies source resource namespace.", - "type": "string" - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "data": { - "description": "Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.", - "x-kubernetes-preserve-unknown-fields": true - }, - "kind": { - "description": "Kind specifies resource kind.", - "type": "string" - }, - "name": { - "description": "Name specifies the resource name.", - "type": "string" - }, - "namespace": { - "description": "Namespace specifies resource namespace.", - "type": "string" - }, - "orphanDownstreamOnPolicyDelete": { - "description": "OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nSee https://kyverno.io/docs/writing-policies/generate/#data-examples.\nDefaults to \"false\" if not specified.", - "type": "boolean" - }, - "synchronize": { - "description": "Synchronize controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.", - "type": "boolean" - }, - "uid": { - "description": "UID specifies the resource uid.", - "type": "string" - } - } - }, - "imageExtractors": { - "description": "ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.\nThis config is only valid for verifyImages rules.", - "type": "object", - "additionalProperties": { - "type": "array", - "items": { - "type": "object", - "required": [ - "path" - ], - "properties": { - "jmesPath": { - "description": "JMESPath is an optional JMESPath expression to apply to the image value.\nThis is useful when the extracted image begins with a prefix like 'docker://'.\nThe 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').\nNote - Image digest mutation may not be used when applying a JMESPAth to an image.", - "type": "string" - }, - "key": { - "description": "Key is an optional name of the field within 'path' that will be used to uniquely identify an image.\nNote - this field MUST be unique.", - "type": "string" - }, - "name": { - "description": "Name is the entry the image will be available under 'images.' in the context.\nIf this field is not defined, image entries will appear under 'images.custom'.", - "type": "string" - }, - "path": { - "description": "Path is the path to the object containing the image field in a custom resource.\nIt should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.\nWildcard keys are expanded in case of arrays or objects.", - "type": "string" - }, - "value": { - "description": "Value is an optional name of the field within 'path' that points to the image URI.\nThis is useful when a custom 'key' is also defined.", - "type": "string" - } - } - } - } - }, - "match": { - "description": "MatchResources defines when this policy rule should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.", - "type": "object", - "properties": { - "all": { - "description": "All allows specifying resources which will be ANDed", - "type": "array", - "items": { - "description": "ResourceFilter allow users to \"AND\" or \"OR\" between resources", - "type": "object", - "properties": { - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - } - }, - "any": { - "description": "Any allows specifying resources which will be ORed", - "type": "array", - "items": { - "description": "ResourceFilter allow users to \"AND\" or \"OR\" between resources", - "type": "object", - "properties": { - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - } - }, - "clusterRoles": { - "description": "ClusterRoles is the list of cluster-wide role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "resources": { - "description": "ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.", - "type": "object", - "properties": { - "annotations": { - "description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "kinds": { - "description": "Kinds is a list of resource kinds.", - "type": "array", - "items": { - "type": "string" - } - }, - "name": { - "description": "Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".", - "type": "string" - }, - "names": { - "description": "Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "namespaceSelector": { - "description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - }, - "namespaces": { - "description": "Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).", - "type": "array", - "items": { - "type": "string" - } - }, - "operations": { - "description": "Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.", - "type": "array", - "items": { - "description": "AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.", - "type": "string", - "enum": [ - "CREATE", - "CONNECT", - "UPDATE", - "DELETE" - ] - } - }, - "selector": { - "description": "Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - } - }, - "roles": { - "description": "Roles is the list of namespaced role names for the user.", - "type": "array", - "items": { - "type": "string" - } - }, - "subjects": { - "description": "Subjects is the list of subject names like users, user groups, and service accounts.", - "type": "array", - "items": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.", - "type": "object", - "required": [ - "kind", - "name" - ], - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", - "type": "string" - }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "type": "string" - }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - } - } - } - }, - "mutate": { - "description": "Mutation is used to modify matching resources.", - "type": "object", - "properties": { - "foreach": { - "description": "ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.", - "type": "array", - "items": { - "description": "ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.", - "type": "object", - "properties": { - "context": { - "description": "Context defines variables and data sources that can be used during rule execution.", - "type": "array", - "items": { - "description": "ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.", - "type": "object", - "properties": { - "apiCall": { - "description": "APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.", - "type": "object", - "properties": { - "data": { - "description": "The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.", - "type": "array", - "items": { - "description": "RequestData contains the HTTP POST data", - "type": "object", - "required": [ - "key", - "value" - ], - "properties": { - "key": { - "description": "Key is a unique identifier for the data value", - "type": "string" - }, - "value": { - "description": "Value is the data value", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "method": { - "description": "Method is the HTTP request type (GET or POST).", - "type": "string", - "default": "GET", - "enum": [ - "GET", - "POST" - ] - }, - "service": { - "description": "Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.", - "type": "object", - "required": [ - "url" - ], - "properties": { - "caBundle": { - "description": "CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.", - "type": "string" - }, - "url": { - "description": "URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.", - "type": "string" - } - } - }, - "urlPath": { - "description": "URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.", - "type": "string" - } - } - }, - "configMap": { - "description": "ConfigMap is the ConfigMap reference.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "Name is the ConfigMap name.", - "type": "string" - }, - "namespace": { - "description": "Namespace is the ConfigMap namespace.", - "type": "string" - } - } - }, - "globalReference": { - "description": "GlobalContextEntryReference is a reference to a cached global context entry.", - "type": "object", - "properties": { - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "name": { - "description": "Name of the global context entry", - "type": "string" - } - } - }, - "imageRegistry": { - "description": "ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.", - "type": "object", - "required": [ - "reference" - ], - "properties": { - "imageRegistryCredentials": { - "description": "ImageRegistryCredentials provides credentials that will be used for authentication with registry", - "type": "object", - "properties": { - "allowInsecureRegistry": { - "description": "AllowInsecureRegistry allows insecure access to a registry.", - "type": "boolean" - }, - "providers": { - "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", - "type": "array", - "items": { - "description": "ImageRegistryCredentialsProvidersType provides the list of credential providers required.", - "type": "string", - "enum": [ - "default", - "amazon", - "azure", - "google", - "github" - ] - } - }, - "secrets": { - "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.", - "type": "string" - }, - "reference": { - "description": "Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest", - "type": "string" - } - } - }, - "name": { - "description": "Name is the variable name.", - "type": "string" - }, - "variable": { - "description": "Variable defines an arbitrary JMESPath context variable that can be defined inline.", - "type": "object", - "properties": { - "default": { - "description": "Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil", - "x-kubernetes-preserve-unknown-fields": true - }, - "jmesPath": { - "description": "JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.", - "type": "string" - }, - "value": { - "description": "Value is any arbitrary JSON object representable in YAML or JSON form.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - } - }, - "foreach": { - "description": "Foreach declares a nested foreach iterator", - "x-kubernetes-preserve-unknown-fields": true - }, - "list": { - "description": "List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.", - "type": "string" - }, - "order": { - "description": "Order defines the iteration order on the list.\nCan be Ascending to iterate from first to last element or Descending to iterate in from last to first element.", - "type": "string", - "enum": [ - "Ascending", - "Descending" - ] - }, - "patchStrategicMerge": { - "description": "PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.", - "x-kubernetes-preserve-unknown-fields": true - }, - "patchesJson6902": { - "description": "PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.", - "type": "string" - }, - "preconditions": { - "description": "AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/", - "type": "object", - "properties": { - "all": { - "description": "AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "any": { - "description": "AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - }, - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "patchStrategicMerge": { - "description": "PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.", - "x-kubernetes-preserve-unknown-fields": true - }, - "patchesJson6902": { - "description": "PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.", - "type": "string" - }, - "targets": { - "description": "Targets defines the target resources to be mutated.", - "type": "array", - "items": { - "description": "TargetResourceSpec defines targets for mutating existing resources.", - "type": "object", - "properties": { - "apiVersion": { - "description": "APIVersion specifies resource apiVersion.", - "type": "string" - }, - "context": { - "description": "Context defines variables and data sources that can be used during rule execution.", - "type": "array", - "items": { - "description": "ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.", - "type": "object", - "properties": { - "apiCall": { - "description": "APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.", - "type": "object", - "properties": { - "data": { - "description": "The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.", - "type": "array", - "items": { - "description": "RequestData contains the HTTP POST data", - "type": "object", - "required": [ - "key", - "value" - ], - "properties": { - "key": { - "description": "Key is a unique identifier for the data value", - "type": "string" - }, - "value": { - "description": "Value is the data value", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "method": { - "description": "Method is the HTTP request type (GET or POST).", - "type": "string", - "default": "GET", - "enum": [ - "GET", - "POST" - ] - }, - "service": { - "description": "Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.", - "type": "object", - "required": [ - "url" - ], - "properties": { - "caBundle": { - "description": "CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.", - "type": "string" - }, - "url": { - "description": "URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.", - "type": "string" - } - } - }, - "urlPath": { - "description": "URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.", - "type": "string" - } - } - }, - "configMap": { - "description": "ConfigMap is the ConfigMap reference.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "Name is the ConfigMap name.", - "type": "string" - }, - "namespace": { - "description": "Namespace is the ConfigMap namespace.", - "type": "string" - } - } - }, - "globalReference": { - "description": "GlobalContextEntryReference is a reference to a cached global context entry.", - "type": "object", - "properties": { - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "name": { - "description": "Name of the global context entry", - "type": "string" - } - } - }, - "imageRegistry": { - "description": "ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.", - "type": "object", - "required": [ - "reference" - ], - "properties": { - "imageRegistryCredentials": { - "description": "ImageRegistryCredentials provides credentials that will be used for authentication with registry", - "type": "object", - "properties": { - "allowInsecureRegistry": { - "description": "AllowInsecureRegistry allows insecure access to a registry.", - "type": "boolean" - }, - "providers": { - "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", - "type": "array", - "items": { - "description": "ImageRegistryCredentialsProvidersType provides the list of credential providers required.", - "type": "string", - "enum": [ - "default", - "amazon", - "azure", - "google", - "github" - ] - } - }, - "secrets": { - "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.", - "type": "string" - }, - "reference": { - "description": "Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest", - "type": "string" - } - } - }, - "name": { - "description": "Name is the variable name.", - "type": "string" - }, - "variable": { - "description": "Variable defines an arbitrary JMESPath context variable that can be defined inline.", - "type": "object", - "properties": { - "default": { - "description": "Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil", - "x-kubernetes-preserve-unknown-fields": true - }, - "jmesPath": { - "description": "JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.", - "type": "string" - }, - "value": { - "description": "Value is any arbitrary JSON object representable in YAML or JSON form.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - } - }, - "kind": { - "description": "Kind specifies resource kind.", - "type": "string" - }, - "name": { - "description": "Name specifies the resource name.", - "type": "string" - }, - "namespace": { - "description": "Namespace specifies resource namespace.", - "type": "string" - }, - "preconditions": { - "description": "Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/", - "x-kubernetes-preserve-unknown-fields": true - }, - "uid": { - "description": "UID specifies the resource uid.", - "type": "string" - } - } - } - } - } - }, - "name": { - "description": "Name is a label to identify the rule, It must be unique within the policy.", - "type": "string", - "maxLength": 63 - }, - "preconditions": { - "description": "Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/", - "x-kubernetes-preserve-unknown-fields": true - }, - "skipBackgroundRequests": { - "description": "SkipBackgroundRequests bypasses admission requests that are sent by the background controller.\nThe default value is set to \"true\", it must be set to \"false\" to apply\ngenerate and mutateExisting rules to those requests.", - "type": "boolean", - "default": true - }, - "validate": { - "description": "Validation is used to validate matching resources.", - "type": "object", - "properties": { - "anyPattern": { - "description": "AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.", - "x-kubernetes-preserve-unknown-fields": true - }, - "cel": { - "description": "CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).", - "type": "object", - "properties": { - "auditAnnotations": { - "description": "AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.", - "type": "array", - "items": { - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", - "type": "object", - "required": [ - "key", - "valueExpression" - ], - "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\n\nRequired.", - "type": "string" - }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\n\nRequired.", - "type": "string" - } - } - } - }, - "expressions": { - "description": "Expressions is a list of CELExpression types.", - "type": "array", - "items": { - "description": "Validation specifies the CEL expression which is used to apply the validation.", - "type": "object", - "required": [ - "expression" - ], - "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", - "type": "string" - }, - "message": { - "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".", - "type": "string" - }, - "messageExpression": { - "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"", - "type": "string" - }, - "reason": { - "description": "Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.", - "type": "string" - } - } - } - }, - "paramKind": { - "description": "ParamKind is a tuple of Group Kind and Version.", - "type": "object", - "properties": { - "apiVersion": { - "description": "APIVersion is the API group version the resources belong to.\nIn format of \"group/version\".\nRequired.", - "type": "string" - }, - "kind": { - "description": "Kind is the API kind the resources belong to.\nRequired.", - "type": "string" - } - }, - "x-kubernetes-map-type": "atomic" - }, - "paramRef": { - "description": "ParamRef references a parameter resource.", - "type": "object", - "properties": { - "name": { - "description": "`name` is the name of the resource being referenced.\n\n\n`name` and `selector` are mutually exclusive properties. If one is set,\nthe other must be unset.", - "type": "string" - }, - "namespace": { - "description": "namespace is the namespace of the referenced resource. Allows limiting\nthe search for params to a specific namespace. Applies to both `name` and\n`selector` fields.\n\n\nA per-namespace parameter may be used by specifying a namespace-scoped\n`paramKind` in the policy and leaving this field empty.\n\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this\nfield results in a configuration error.\n\n\n- If `paramKind` is namespace-scoped, the namespace of the object being\nevaluated for admission will be used when this field is left unset. Take\ncare that if this is left empty the binding must not match any cluster-scoped\nresources, which will result in an error.", - "type": "string" - }, - "parameterNotFoundAction": { - "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource\nexists, and name or selector is valid, but there are no parameters\nmatched by the binding. If the value is set to `Allow`, then no\nmatched parameters will be treated as successful validation by the binding.\nIf set to `Deny`, then no matched parameters will be subject to the\n`failurePolicy` of the policy.\n\n\nAllowed values are `Allow` or `Deny`\nDefault to `Deny`", - "type": "string" - }, - "selector": { - "description": "selector can be used to match multiple param objects based on their labels.\nSupply selector: {} to match all resources of the ParamKind.\n\n\nIf multiple params are found, they are all evaluated with the policy expressions\nand the results are ANDed together.\n\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - }, - "x-kubernetes-map-type": "atomic" - } - }, - "x-kubernetes-map-type": "atomic" - }, - "variables": { - "description": "Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy.", - "type": "array", - "items": { - "description": "Variable is the definition of a variable that is used for composition.", - "type": "object", - "required": [ - "expression", - "name" - ], - "properties": { - "expression": { - "description": "Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.", - "type": "string" - }, - "name": { - "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`", - "type": "string" - } - } - } - } - } - }, - "deny": { - "description": "Deny defines conditions used to pass or fail a validation rule.", - "type": "object", - "properties": { - "conditions": { - "description": "Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules", - "x-kubernetes-preserve-unknown-fields": true - } - } - }, - "foreach": { - "description": "ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.", - "type": "array", - "items": { - "description": "ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.", - "type": "object", - "properties": { - "anyPattern": { - "description": "AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.", - "x-kubernetes-preserve-unknown-fields": true - }, - "context": { - "description": "Context defines variables and data sources that can be used during rule execution.", - "type": "array", - "items": { - "description": "ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.", - "type": "object", - "properties": { - "apiCall": { - "description": "APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.", - "type": "object", - "properties": { - "data": { - "description": "The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.", - "type": "array", - "items": { - "description": "RequestData contains the HTTP POST data", - "type": "object", - "required": [ - "key", - "value" - ], - "properties": { - "key": { - "description": "Key is a unique identifier for the data value", - "type": "string" - }, - "value": { - "description": "Value is the data value", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "method": { - "description": "Method is the HTTP request type (GET or POST).", - "type": "string", - "default": "GET", - "enum": [ - "GET", - "POST" - ] - }, - "service": { - "description": "Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.", - "type": "object", - "required": [ - "url" - ], - "properties": { - "caBundle": { - "description": "CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.", - "type": "string" - }, - "url": { - "description": "URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.", - "type": "string" - } - } - }, - "urlPath": { - "description": "URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.", - "type": "string" - } - } - }, - "configMap": { - "description": "ConfigMap is the ConfigMap reference.", - "type": "object", - "required": [ - "name" - ], - "properties": { - "name": { - "description": "Name is the ConfigMap name.", - "type": "string" - }, - "namespace": { - "description": "Namespace is the ConfigMap namespace.", - "type": "string" - } - } - }, - "globalReference": { - "description": "GlobalContextEntryReference is a reference to a cached global context entry.", - "type": "object", - "properties": { - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.", - "type": "string" - }, - "name": { - "description": "Name of the global context entry", - "type": "string" - } - } - }, - "imageRegistry": { - "description": "ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.", - "type": "object", - "required": [ - "reference" - ], - "properties": { - "imageRegistryCredentials": { - "description": "ImageRegistryCredentials provides credentials that will be used for authentication with registry", - "type": "object", - "properties": { - "allowInsecureRegistry": { - "description": "AllowInsecureRegistry allows insecure access to a registry.", - "type": "boolean" - }, - "providers": { - "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", - "type": "array", - "items": { - "description": "ImageRegistryCredentialsProvidersType provides the list of credential providers required.", - "type": "string", - "enum": [ - "default", - "amazon", - "azure", - "google", - "github" - ] - } - }, - "secrets": { - "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "jmesPath": { - "description": "JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.", - "type": "string" - }, - "reference": { - "description": "Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest", - "type": "string" - } - } - }, - "name": { - "description": "Name is the variable name.", - "type": "string" - }, - "variable": { - "description": "Variable defines an arbitrary JMESPath context variable that can be defined inline.", - "type": "object", - "properties": { - "default": { - "description": "Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil", - "x-kubernetes-preserve-unknown-fields": true - }, - "jmesPath": { - "description": "JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.", - "type": "string" - }, - "value": { - "description": "Value is any arbitrary JSON object representable in YAML or JSON form.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - } - }, - "deny": { - "description": "Deny defines conditions used to pass or fail a validation rule.", - "type": "object", - "properties": { - "conditions": { - "description": "Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules", - "x-kubernetes-preserve-unknown-fields": true - } - } - }, - "elementScope": { - "description": "ElementScope specifies whether to use the current list element as the scope for validation. Defaults to \"true\" if not specified.\nWhen set to \"false\", \"request.object\" is used as the validation scope within the foreach\nblock to allow referencing other elements in the subtree.", - "type": "boolean" - }, - "foreach": { - "description": "Foreach declares a nested foreach iterator", - "x-kubernetes-preserve-unknown-fields": true - }, - "list": { - "description": "List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.", - "type": "string" - }, - "pattern": { - "description": "Pattern specifies an overlay-style pattern used to check resources.", - "x-kubernetes-preserve-unknown-fields": true - }, - "preconditions": { - "description": "AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/", - "type": "object", - "properties": { - "all": { - "description": "AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "any": { - "description": "AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - }, - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "manifests": { - "description": "Manifest specifies conditions for manifest verification", - "type": "object", - "properties": { - "annotationDomain": { - "description": "AnnotationDomain is custom domain of annotation for message and signature. Default is \"cosign.sigstore.dev\".", - "type": "string" - }, - "attestors": { - "description": "Attestors specified the required attestors (i.e. authorities)", - "type": "array", - "items": { - "type": "object", - "properties": { - "count": { - "description": "Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.", - "type": "integer", - "minimum": 1 - }, - "entries": { - "description": "Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.", - "type": "array", - "items": { - "type": "object", - "properties": { - "annotations": { - "description": "Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "attestor": { - "description": "Attestor is a nested set of Attestor used to specify a more complex set of match authorities.", - "x-kubernetes-preserve-unknown-fields": true - }, - "certificates": { - "description": "Certificates specifies one or more certificates.", - "type": "object", - "properties": { - "cert": { - "description": "Cert is an optional PEM-encoded public certificate.", - "type": "string" - }, - "certChain": { - "description": "CertChain is an optional PEM encoded set of certificates used to verify.", - "type": "string" - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - } - } - }, - "keyless": { - "description": "Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.", - "type": "object", - "properties": { - "additionalExtensions": { - "description": "AdditionalExtensions are certificate-extensions used for keyless signing.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "issuer": { - "description": "Issuer is the certificate issuer used for keyless signing.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "roots": { - "description": "Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.", - "type": "string" - }, - "subject": { - "description": "Subject is the verified identity used for keyless signing, for example the email address.", - "type": "string" - } - } - }, - "keys": { - "description": "Keys specifies one or more public keys.", - "type": "object", - "properties": { - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "kms": { - "description": "KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md", - "type": "string" - }, - "publicKeys": { - "description": "Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "secret": { - "description": "Reference to a Secret resource that contains a public key", - "type": "object", - "required": [ - "name", - "namespace" - ], - "properties": { - "name": { - "description": "Name of the secret. The provided secret must contain a key named cosign.pub.", - "type": "string" - }, - "namespace": { - "description": "Namespace name where the Secret exists.", - "type": "string" - } - } - }, - "signatureAlgorithm": { - "description": "Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.", - "type": "string", - "default": "sha256" - } - } - }, - "repository": { - "description": "Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.", - "type": "string" - } - } - } - } - } - } - }, - "dryRun": { - "description": "DryRun configuration", - "type": "object", - "properties": { - "enable": { - "type": "boolean" - }, - "namespace": { - "type": "string" - } - } - }, - "ignoreFields": { - "description": "Fields which will be ignored while comparing manifests.", - "type": "array", - "items": { - "type": "object", - "properties": { - "fields": { - "type": "array", - "items": { - "type": "string" - } - }, - "objects": { - "type": "array", - "items": { - "type": "object", - "properties": { - "group": { - "type": "string" - }, - "kind": { - "type": "string" - }, - "name": { - "type": "string" - }, - "namespace": { - "type": "string" - }, - "version": { - "type": "string" - } - } - } - } - } - } - }, - "repository": { - "description": "Repository is an optional alternate OCI repository to use for resource bundle reference.\nThe repository can be overridden per Attestor or Attestation.", - "type": "string" - } - } - }, - "message": { - "description": "Message specifies a custom message to be displayed on failure.", - "type": "string" - }, - "pattern": { - "description": "Pattern specifies an overlay-style pattern used to check resources.", - "x-kubernetes-preserve-unknown-fields": true - }, - "podSecurity": { - "description": "PodSecurity applies exemptions for Kubernetes Pod Security admission\nby specifying exclusions for Pod Security Standards controls.", - "type": "object", - "properties": { - "exclude": { - "description": "Exclude specifies the Pod Security Standard controls to be excluded.", - "type": "array", - "items": { - "description": "PodSecurityStandard specifies the Pod Security Standard controls to be excluded.", - "type": "object", - "required": [ - "controlName" - ], - "properties": { - "controlName": { - "description": "ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/", - "type": "string", - "enum": [ - "HostProcess", - "Host Namespaces", - "Privileged Containers", - "Capabilities", - "HostPath Volumes", - "Host Ports", - "AppArmor", - "SELinux", - "/proc Mount Type", - "Seccomp", - "Sysctls", - "Volume Types", - "Privilege Escalation", - "Running as Non-root", - "Running as Non-root user" - ] - }, - "images": { - "description": "Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.", - "type": "array", - "items": { - "type": "string" - } - }, - "restrictedField": { - "description": "RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.", - "type": "string" - }, - "values": { - "description": "Values defines the allowed values that can be excluded.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - }, - "level": { - "description": "Level defines the Pod Security Standard level to be applied to workloads.\nAllowed values are privileged, baseline, and restricted.", - "type": "string", - "enum": [ - "privileged", - "baseline", - "restricted" - ] - }, - "version": { - "description": "Version defines the Pod Security Standard versions that Kubernetes supports.\nAllowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.", - "type": "string", - "enum": [ - "v1.19", - "v1.20", - "v1.21", - "v1.22", - "v1.23", - "v1.24", - "v1.25", - "v1.26", - "v1.27", - "v1.28", - "v1.29", - "latest" - ] - } - } - } - } - }, - "verifyImages": { - "description": "VerifyImages is used to verify image signatures and mutate them to add a digest", - "type": "array", - "items": { - "description": "ImageVerification validates that images that match the specified pattern\nare signed with the supplied public key. Once the image is verified it is\nmutated to include the SHA digest retrieved during the registration.", - "type": "object", - "properties": { - "additionalExtensions": { - "description": "Deprecated.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "annotations": { - "description": "Deprecated. Use annotations per Attestor instead.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "attestations": { - "description": "Attestations are optional checks for signed in-toto Statements used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statement declarations.", - "type": "array", - "items": { - "description": "Attestation are checks for signed in-toto Statements that are used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statements.", - "type": "object", - "properties": { - "attestors": { - "description": "Attestors specify the required attestors (i.e. authorities).", - "type": "array", - "items": { - "type": "object", - "properties": { - "count": { - "description": "Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.", - "type": "integer", - "minimum": 1 - }, - "entries": { - "description": "Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.", - "type": "array", - "items": { - "type": "object", - "properties": { - "annotations": { - "description": "Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "attestor": { - "description": "Attestor is a nested set of Attestor used to specify a more complex set of match authorities.", - "x-kubernetes-preserve-unknown-fields": true - }, - "certificates": { - "description": "Certificates specifies one or more certificates.", - "type": "object", - "properties": { - "cert": { - "description": "Cert is an optional PEM-encoded public certificate.", - "type": "string" - }, - "certChain": { - "description": "CertChain is an optional PEM encoded set of certificates used to verify.", - "type": "string" - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - } - } - }, - "keyless": { - "description": "Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.", - "type": "object", - "properties": { - "additionalExtensions": { - "description": "AdditionalExtensions are certificate-extensions used for keyless signing.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "issuer": { - "description": "Issuer is the certificate issuer used for keyless signing.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "roots": { - "description": "Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.", - "type": "string" - }, - "subject": { - "description": "Subject is the verified identity used for keyless signing, for example the email address.", - "type": "string" - } - } - }, - "keys": { - "description": "Keys specifies one or more public keys.", - "type": "object", - "properties": { - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "kms": { - "description": "KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md", - "type": "string" - }, - "publicKeys": { - "description": "Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "secret": { - "description": "Reference to a Secret resource that contains a public key", - "type": "object", - "required": [ - "name", - "namespace" - ], - "properties": { - "name": { - "description": "Name of the secret. The provided secret must contain a key named cosign.pub.", - "type": "string" - }, - "namespace": { - "description": "Namespace name where the Secret exists.", - "type": "string" - } - } - }, - "signatureAlgorithm": { - "description": "Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.", - "type": "string", - "default": "sha256" - } - } - }, - "repository": { - "description": "Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.", - "type": "string" - } - } - } - } - } - } - }, - "conditions": { - "description": "Conditions are used to verify attributes within a Predicate. If no Conditions are specified\nthe attestation check is satisfied as long there are predicates that match the predicate type.", - "type": "array", - "items": { - "description": "AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.\nAnyConditions get fulfilled when at least one of its sub-conditions passes.\nAllConditions get fulfilled only when all of its sub-conditions pass.", - "type": "object", - "properties": { - "all": { - "description": "AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - }, - "any": { - "description": "AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass", - "type": "array", - "items": { - "description": "Condition defines variable-based conditional criteria for rule execution.", - "type": "object", - "properties": { - "key": { - "description": "Key is the context entry (using JMESPath) for conditional rule evaluation.", - "x-kubernetes-preserve-unknown-fields": true - }, - "message": { - "description": "Message is an optional display message", - "type": "string" - }, - "operator": { - "description": "Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan", - "type": "string", - "enum": [ - "Equals", - "NotEquals", - "In", - "AnyIn", - "AllIn", - "NotIn", - "AnyNotIn", - "AllNotIn", - "GreaterThanOrEquals", - "GreaterThan", - "LessThanOrEquals", - "LessThan", - "DurationGreaterThanOrEquals", - "DurationGreaterThan", - "DurationLessThanOrEquals", - "DurationLessThan" - ] - }, - "value": { - "description": "Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.", - "x-kubernetes-preserve-unknown-fields": true - } - } - } - } - } - } - }, - "predicateType": { - "description": "Deprecated in favour of 'Type', to be removed soon", - "type": "string" - }, - "type": { - "description": "Type defines the type of attestation contained within the Statement.", - "type": "string" - } - } - } - }, - "attestors": { - "description": "Attestors specified the required attestors (i.e. authorities)", - "type": "array", - "items": { - "type": "object", - "properties": { - "count": { - "description": "Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.", - "type": "integer", - "minimum": 1 - }, - "entries": { - "description": "Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.", - "type": "array", - "items": { - "type": "object", - "properties": { - "annotations": { - "description": "Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "attestor": { - "description": "Attestor is a nested set of Attestor used to specify a more complex set of match authorities.", - "x-kubernetes-preserve-unknown-fields": true - }, - "certificates": { - "description": "Certificates specifies one or more certificates.", - "type": "object", - "properties": { - "cert": { - "description": "Cert is an optional PEM-encoded public certificate.", - "type": "string" - }, - "certChain": { - "description": "CertChain is an optional PEM encoded set of certificates used to verify.", - "type": "string" - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - } - } - }, - "keyless": { - "description": "Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.", - "type": "object", - "properties": { - "additionalExtensions": { - "description": "AdditionalExtensions are certificate-extensions used for keyless signing.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "issuer": { - "description": "Issuer is the certificate issuer used for keyless signing.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "roots": { - "description": "Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.", - "type": "string" - }, - "subject": { - "description": "Subject is the verified identity used for keyless signing, for example the email address.", - "type": "string" - } - } - }, - "keys": { - "description": "Keys specifies one or more public keys.", - "type": "object", - "properties": { - "ctlog": { - "description": "CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.", - "type": "object", - "properties": { - "ignoreSCT": { - "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", - "type": "boolean" - }, - "pubkey": { - "description": "PubKey, if set, is used to validate SCTs against a custom source.", - "type": "string" - } - } - }, - "kms": { - "description": "KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md", - "type": "string" - }, - "publicKeys": { - "description": "Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.", - "type": "string" - }, - "rekor": { - "description": "Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.", - "type": "object", - "properties": { - "ignoreTlog": { - "description": "IgnoreTlog skips transparency log verification.", - "type": "boolean" - }, - "pubkey": { - "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", - "type": "string" - }, - "url": { - "description": "URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.", - "type": "string" - } - } - }, - "secret": { - "description": "Reference to a Secret resource that contains a public key", - "type": "object", - "required": [ - "name", - "namespace" - ], - "properties": { - "name": { - "description": "Name of the secret. The provided secret must contain a key named cosign.pub.", - "type": "string" - }, - "namespace": { - "description": "Namespace name where the Secret exists.", - "type": "string" - } - } - }, - "signatureAlgorithm": { - "description": "Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.", - "type": "string", - "default": "sha256" - } - } - }, - "repository": { - "description": "Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.", - "type": "string" - } - } - } - } - } - } - }, - "image": { - "description": "Deprecated. Use ImageReferences instead.", - "type": "string" - }, - "imageReferences": { - "description": "ImageReferences is a list of matching image reference patterns. At least one pattern in the\nlist must match the image for the rule to apply. Each image reference consists of a registry\naddress (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.", - "type": "array", - "items": { - "type": "string" - } - }, - "imageRegistryCredentials": { - "description": "ImageRegistryCredentials provides credentials that will be used for authentication with registry.", - "type": "object", - "properties": { - "allowInsecureRegistry": { - "description": "AllowInsecureRegistry allows insecure access to a registry.", - "type": "boolean" - }, - "providers": { - "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", - "type": "array", - "items": { - "description": "ImageRegistryCredentialsProvidersType provides the list of credential providers required.", - "type": "string", - "enum": [ - "default", - "amazon", - "azure", - "google", - "github" - ] - } - }, - "secrets": { - "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "issuer": { - "description": "Deprecated. Use KeylessAttestor instead.", - "type": "string" - }, - "key": { - "description": "Deprecated. Use StaticKeyAttestor instead.", - "type": "string" - }, - "mutateDigest": { - "description": "MutateDigest enables replacement of image tags with digests.\nDefaults to true.", - "type": "boolean", - "default": true - }, - "repository": { - "description": "Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.\nIf specified Repository will override the default OCI image repository configured for the installation.\nThe repository can also be overridden per Attestor or Attestation.", - "type": "string" - }, - "required": { - "description": "Required validates that images are verified i.e. have matched passed a signature or attestation check.", - "type": "boolean", - "default": true - }, - "roots": { - "description": "Deprecated. Use KeylessAttestor instead.", - "type": "string" - }, - "skipImageReferences": { - "description": "SkipImageReferences is a list of matching image reference patterns that should be skipped.\nAt least one pattern in the list must match the image for the rule to be skipped. Each image reference\nconsists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.", - "type": "array", - "items": { - "type": "string" - } - }, - "subject": { - "description": "Deprecated. Use KeylessAttestor instead.", - "type": "string" - }, - "type": { - "description": "Type specifies the method of signature validation. The allowed options\nare Cosign and Notary. By default Cosign is used if a type is not specified.", - "type": "string", - "enum": [ - "Cosign", - "Notary" - ] - }, - "useCache": { - "description": "UseCache enables caching of image verify responses for this rule.", - "type": "boolean", - "default": true - }, - "verifyDigest": { - "description": "VerifyDigest validates that images have a digest.", - "type": "boolean", - "default": true - } - } - } - } - } - } - } - } - }, - "conditions": { - "type": "array", - "items": { - "description": "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}", - "type": "object", - "required": [ - "lastTransitionTime", - "message", - "reason", - "status", - "type" - ], - "properties": { - "lastTransitionTime": { - "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", - "type": "string", - "format": "date-time" - }, - "message": { - "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", - "type": "string", - "maxLength": 32768 - }, - "observedGeneration": { - "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", - "type": "integer", - "format": "int64", - "minimum": 0 - }, - "reason": { - "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", - "type": "string", - "maxLength": 1024, - "minLength": 1, - "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$" - }, - "status": { - "description": "status of the condition, one of True, False, Unknown.", - "type": "string", - "enum": [ - "True", - "False", - "Unknown" - ] - }, - "type": { - "description": "type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)", - "type": "string", - "maxLength": 316, - "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$" - } - } - } - }, - "ready": { - "description": "Deprecated in favor of Conditions", - "type": "boolean" - }, - "rulecount": { - "description": "RuleCountStatus contains four variables which describes counts for\nvalidate, generate, mutate and verify images rules", - "type": "object", - "required": [ - "generate", - "mutate", - "validate", - "verifyimages" - ], - "properties": { - "generate": { - "description": "Count for generate rules in policy", - "type": "integer" - }, - "mutate": { - "description": "Count for mutate rules in policy", - "type": "integer" - }, - "validate": { - "description": "Count for validate rules in policy", - "type": "integer" - }, - "verifyimages": { - "description": "Count for verify image rules in policy", - "type": "integer" - } - } - }, - "validatingadmissionpolicy": { - "description": "ValidatingAdmissionPolicy contains status information", - "type": "object", - "required": [ - "generated", - "message" - ], - "properties": { - "generated": { - "description": "Generated indicates whether a validating admission policy is generated from the policy or not", - "type": "boolean" - }, - "message": { - "description": "Message is a human readable message indicating details about the generation of validating admission policy\nIt is an empty string when validating admission policy is successfully generated.", - "type": "string" - } - } - } - } - } - }, - "x-kubernetes-group-version-kind": [ { - "group": "kyverno.io", - "kind": "Policy", + "group": "rbac.authorization.k8s.io", + "kind": "WatchEvent", "version": "v1" - } - ] - }, - "io.kyverno.v1.PolicyList": { - "description": "PolicyList is a list of Policy", - "type": "object", - "required": [ - "items" - ], - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string", - "enum": [ - "kyverno.io/v1" - ] }, - "items": { - "description": "List of policies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md", - "type": "array", - "items": { - "$ref": "#/components/schemas/io.kyverno.v1.Policy" - } + { + "group": "rbac.authorization.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "PolicyList" - ] + { + "group": "rbac.authorization.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "resource.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha2" + }, + { + "group": "scheduling.k8s.io", + "kind": "WatchEvent", + "version": "v1" + }, + { + "group": "scheduling.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" + }, + { + "group": "scheduling.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" }, - "metadata": { - "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "allOf": [ - { - "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta" - } - ] - } - }, - "x-kubernetes-group-version-kind": [ { - "group": "kyverno.io", - "kind": "PolicyList", + "group": "storage.k8s.io", + "kind": "WatchEvent", "version": "v1" + }, + { + "group": "storage.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" + }, + { + "group": "storage.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, + { + "group": "storagemigration.k8s.io", + "kind": "WatchEvent", + "version": "v1alpha1" } ] }, + "io.k8s.apimachinery.pkg.runtime.RawExtension": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + }, "io.k8s.apimachinery.pkg.util.intstr.IntOrString": { "oneOf": [ { diff --git a/schemas/json/v3/all.json b/schemas/json/v3/all.json index 286d7844..53b1aceb 100644 --- a/schemas/json/v3/all.json +++ b/schemas/json/v3/all.json @@ -1,11 +1,104 @@ { "oneOf": [ + { + "$ref": "io.k8s.api.admissionregistration.v1.AuditAnnotation.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.ExpressionWarning.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.MatchCondition.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.MatchResources.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.MutatingWebhook.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationList.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.NamedRuleWithOperations.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.ParamKind.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.ParamRef.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.RuleWithOperations.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.ServiceReference.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.TypeChecking.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBindingList.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBindingSpec.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyList.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicySpec.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyStatus.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.ValidatingWebhook.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.ValidatingWebhookConfigurationList.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.Validation.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.Variable.json" + }, + { + "$ref": "io.k8s.api.admissionregistration.v1.WebhookClientConfig.json" + }, + { + "$ref": "io.k8s.apimachinery.pkg.apis.meta.v1.APIResource.json" + }, + { + "$ref": "io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList.json" + }, + { + "$ref": "io.k8s.apimachinery.pkg.apis.meta.v1.Condition.json" + }, { "$ref": "io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions.json" }, { "$ref": "io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1.json" }, + { + "$ref": "io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector.json" + }, + { + "$ref": "io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement.json" + }, { "$ref": "io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta.json" }, @@ -37,16 +130,10 @@ "$ref": "io.k8s.apimachinery.pkg.apis.meta.v1.Time.json" }, { - "$ref": "io.kyverno.v1.ClusterPolicy.json" - }, - { - "$ref": "io.kyverno.v1.ClusterPolicyList.json" - }, - { - "$ref": "io.kyverno.v1.Policy.json" + "$ref": "io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent.json" }, { - "$ref": "io.kyverno.v1.PolicyList.json" + "$ref": "io.k8s.apimachinery.pkg.runtime.RawExtension.json" }, { "$ref": "io.k8s.apimachinery.pkg.util.intstr.IntOrString.json" diff --git a/schemas/json/v3/deleteoptions-meta-v1.json b/schemas/json/v3/deleteoptions-meta-v1.json index 36e12ac3..d0acb668 100644 --- a/schemas/json/v3/deleteoptions-meta-v1.json +++ b/schemas/json/v3/deleteoptions-meta-v1.json @@ -6,9 +6,15 @@ "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "enum": [ "v1", + "admission.k8s.io/v1", + "admission.k8s.io/v1beta1", "admissionregistration.k8s.io/v1", "admissionregistration.k8s.io/v1alpha1", "admissionregistration.k8s.io/v1beta1", + "apiextensions.k8s.io/v1", + "apiextensions.k8s.io/v1beta1", + "apiregistration.k8s.io/v1", + "apiregistration.k8s.io/v1beta1", "apps/v1", "apps/v1beta1", "apps/v1beta2", @@ -37,6 +43,7 @@ "flowcontrol.apiserver.k8s.io/v1beta1", "flowcontrol.apiserver.k8s.io/v1beta2", "flowcontrol.apiserver.k8s.io/v1beta3", + "imagepolicy.k8s.io/v1alpha1", "internal.apiserver.k8s.io/v1alpha1", "networking.k8s.io/v1", "networking.k8s.io/v1alpha1", @@ -146,6 +153,16 @@ "kind": "DeleteOptions", "version": "v1" }, + { + "group": "admission.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "admission.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, { "group": "admissionregistration.k8s.io", "kind": "DeleteOptions", @@ -161,6 +178,26 @@ "kind": "DeleteOptions", "version": "v1beta1" }, + { + "group": "apiextensions.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "apiextensions.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, + { + "group": "apiregistration.k8s.io", + "kind": "DeleteOptions", + "version": "v1" + }, + { + "group": "apiregistration.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, { "group": "apps", "kind": "DeleteOptions", @@ -301,6 +338,11 @@ "kind": "DeleteOptions", "version": "v1beta3" }, + { + "group": "imagepolicy.k8s.io", + "kind": "DeleteOptions", + "version": "v1alpha1" + }, { "group": "internal.apiserver.k8s.io", "kind": "DeleteOptions", diff --git a/schemas/openapi/v2/schema.json b/schemas/openapi/v2/schema.json deleted file mode 100644 index 31d0d8f1..00000000 --- a/schemas/openapi/v2/schema.json +++ /dev/null @@ -1 +0,0 @@ -{"swagger":"2.0","info":{"title":"Kubernetes","version":"v1.30.2"},"paths":{"/.well-known/openid-configuration/":{"get":{"description":"get service account issuer OpenID configuration, also known as the 'OIDC discovery doc'","produces":["application/json"],"schemes":["https"],"tags":["WellKnown"],"operationId":"getServiceAccountIssuerOpenIDConfiguration","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}}}},"/api/":{"get":{"description":"get available API versions","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core"],"operationId":"getCoreAPIVersions","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIVersions"}},"401":{"description":"Unauthorized"}}}},"/api/v1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"getCoreV1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/api/v1/componentstatuses":{"get":{"description":"list objects of kind ComponentStatus","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1ComponentStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ComponentStatusList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"ComponentStatus","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/componentstatuses/{name}":{"get":{"description":"read the specified ComponentStatus","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1ComponentStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ComponentStatus"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"ComponentStatus","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ComponentStatus","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/configmaps":{"get":{"description":"list or watch objects of kind ConfigMap","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1ConfigMapForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ConfigMapList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"ConfigMap","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/endpoints":{"get":{"description":"list or watch objects of kind Endpoints","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1EndpointsForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.EndpointsList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"Endpoints","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/events":{"get":{"description":"list or watch objects of kind Event","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1EventForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.EventList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"Event","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/limitranges":{"get":{"description":"list or watch objects of kind LimitRange","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1LimitRangeForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.LimitRangeList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"LimitRange","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/namespaces":{"get":{"description":"list or watch objects of kind Namespace","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1Namespace","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.NamespaceList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"Namespace","version":"v1"}},"post":{"description":"create a Namespace","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"createCoreV1Namespace","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"","kind":"Namespace","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/bindings":{"post":{"description":"create a Binding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"createCoreV1NamespacedBinding","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Binding"}}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Binding"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Binding"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Binding"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"","kind":"Binding","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/configmaps":{"get":{"description":"list or watch objects of kind ConfigMap","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1NamespacedConfigMap","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ConfigMapList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"ConfigMap","version":"v1"}},"post":{"description":"create a ConfigMap","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"createCoreV1NamespacedConfigMap","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ConfigMap"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ConfigMap"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ConfigMap"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ConfigMap"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"","kind":"ConfigMap","version":"v1"}},"delete":{"description":"delete collection of ConfigMap","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1CollectionNamespacedConfigMap","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"","kind":"ConfigMap","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/configmaps/{name}":{"get":{"description":"read the specified ConfigMap","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespacedConfigMap","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ConfigMap"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"ConfigMap","version":"v1"}},"put":{"description":"replace the specified ConfigMap","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespacedConfigMap","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ConfigMap"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ConfigMap"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ConfigMap"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"ConfigMap","version":"v1"}},"delete":{"description":"delete a ConfigMap","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1NamespacedConfigMap","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"","kind":"ConfigMap","version":"v1"}},"patch":{"description":"partially update the specified ConfigMap","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NamespacedConfigMap","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ConfigMap"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ConfigMap"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"ConfigMap","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ConfigMap","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/endpoints":{"get":{"description":"list or watch objects of kind Endpoints","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1NamespacedEndpoints","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.EndpointsList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"Endpoints","version":"v1"}},"post":{"description":"create Endpoints","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"createCoreV1NamespacedEndpoints","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Endpoints"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Endpoints"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Endpoints"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Endpoints"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"","kind":"Endpoints","version":"v1"}},"delete":{"description":"delete collection of Endpoints","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1CollectionNamespacedEndpoints","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"","kind":"Endpoints","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/endpoints/{name}":{"get":{"description":"read the specified Endpoints","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespacedEndpoints","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Endpoints"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"Endpoints","version":"v1"}},"put":{"description":"replace the specified Endpoints","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespacedEndpoints","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Endpoints"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Endpoints"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Endpoints"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"Endpoints","version":"v1"}},"delete":{"description":"delete Endpoints","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1NamespacedEndpoints","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"","kind":"Endpoints","version":"v1"}},"patch":{"description":"partially update the specified Endpoints","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NamespacedEndpoints","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Endpoints"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Endpoints"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"Endpoints","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Endpoints","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/events":{"get":{"description":"list or watch objects of kind Event","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1NamespacedEvent","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.EventList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"Event","version":"v1"}},"post":{"description":"create an Event","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"createCoreV1NamespacedEvent","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Event"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Event"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Event"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Event"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"","kind":"Event","version":"v1"}},"delete":{"description":"delete collection of Event","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1CollectionNamespacedEvent","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"","kind":"Event","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/events/{name}":{"get":{"description":"read the specified Event","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespacedEvent","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Event"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"Event","version":"v1"}},"put":{"description":"replace the specified Event","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespacedEvent","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Event"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Event"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Event"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"Event","version":"v1"}},"delete":{"description":"delete an Event","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1NamespacedEvent","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"","kind":"Event","version":"v1"}},"patch":{"description":"partially update the specified Event","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NamespacedEvent","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Event"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Event"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"Event","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Event","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/limitranges":{"get":{"description":"list or watch objects of kind LimitRange","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1NamespacedLimitRange","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.LimitRangeList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"LimitRange","version":"v1"}},"post":{"description":"create a LimitRange","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"createCoreV1NamespacedLimitRange","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.LimitRange"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.LimitRange"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.LimitRange"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.LimitRange"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"","kind":"LimitRange","version":"v1"}},"delete":{"description":"delete collection of LimitRange","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1CollectionNamespacedLimitRange","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"","kind":"LimitRange","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/limitranges/{name}":{"get":{"description":"read the specified LimitRange","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespacedLimitRange","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.LimitRange"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"LimitRange","version":"v1"}},"put":{"description":"replace the specified LimitRange","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespacedLimitRange","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.LimitRange"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.LimitRange"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.LimitRange"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"LimitRange","version":"v1"}},"delete":{"description":"delete a LimitRange","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1NamespacedLimitRange","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"","kind":"LimitRange","version":"v1"}},"patch":{"description":"partially update the specified LimitRange","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NamespacedLimitRange","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.LimitRange"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.LimitRange"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"LimitRange","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the LimitRange","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/persistentvolumeclaims":{"get":{"description":"list or watch objects of kind PersistentVolumeClaim","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1NamespacedPersistentVolumeClaim","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolumeClaim","version":"v1"}},"post":{"description":"create a PersistentVolumeClaim","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"createCoreV1NamespacedPersistentVolumeClaim","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolumeClaim","version":"v1"}},"delete":{"description":"delete collection of PersistentVolumeClaim","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1CollectionNamespacedPersistentVolumeClaim","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolumeClaim","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/persistentvolumeclaims/{name}":{"get":{"description":"read the specified PersistentVolumeClaim","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespacedPersistentVolumeClaim","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolumeClaim","version":"v1"}},"put":{"description":"replace the specified PersistentVolumeClaim","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespacedPersistentVolumeClaim","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolumeClaim","version":"v1"}},"delete":{"description":"delete a PersistentVolumeClaim","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1NamespacedPersistentVolumeClaim","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolumeClaim","version":"v1"}},"patch":{"description":"partially update the specified PersistentVolumeClaim","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NamespacedPersistentVolumeClaim","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolumeClaim","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the PersistentVolumeClaim","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/persistentvolumeclaims/{name}/status":{"get":{"description":"read status of the specified PersistentVolumeClaim","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespacedPersistentVolumeClaimStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolumeClaim","version":"v1"}},"put":{"description":"replace status of the specified PersistentVolumeClaim","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespacedPersistentVolumeClaimStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolumeClaim","version":"v1"}},"patch":{"description":"partially update status of the specified PersistentVolumeClaim","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NamespacedPersistentVolumeClaimStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolumeClaim","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the PersistentVolumeClaim","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/pods":{"get":{"description":"list or watch objects of kind Pod","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1NamespacedPod","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PodList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"Pod","version":"v1"}},"post":{"description":"create a Pod","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"createCoreV1NamespacedPod","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"","kind":"Pod","version":"v1"}},"delete":{"description":"delete collection of Pod","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1CollectionNamespacedPod","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"","kind":"Pod","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/pods/{name}":{"get":{"description":"read the specified Pod","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespacedPod","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"Pod","version":"v1"}},"put":{"description":"replace the specified Pod","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespacedPod","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"Pod","version":"v1"}},"delete":{"description":"delete a Pod","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1NamespacedPod","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"","kind":"Pod","version":"v1"}},"patch":{"description":"partially update the specified Pod","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NamespacedPod","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"Pod","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Pod","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/pods/{name}/attach":{"get":{"description":"connect GET requests to attach of Pod","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1GetNamespacedPodAttach","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"PodAttachOptions","version":"v1"}},"post":{"description":"connect POST requests to attach of Pod","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PostNamespacedPodAttach","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"PodAttachOptions","version":"v1"}},"parameters":[{"$ref":"#/parameters/container-_Q-EJ3nR"},{"uniqueItems":true,"type":"string","description":"name of the PodAttachOptions","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/stderr-26jJhFUR"},{"$ref":"#/parameters/stdin-sEFnN3IS"},{"$ref":"#/parameters/stdout-005YMKE6"},{"$ref":"#/parameters/tty-g7MlET_l"}]},"/api/v1/namespaces/{namespace}/pods/{name}/binding":{"post":{"description":"create binding of a Pod","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"createCoreV1NamespacedPodBinding","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Binding"}}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Binding"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Binding"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Binding"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"","kind":"Binding","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"uniqueItems":true,"type":"string","description":"name of the Binding","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/pods/{name}/ephemeralcontainers":{"get":{"description":"read ephemeralcontainers of the specified Pod","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespacedPodEphemeralcontainers","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"Pod","version":"v1"}},"put":{"description":"replace ephemeralcontainers of the specified Pod","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespacedPodEphemeralcontainers","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"Pod","version":"v1"}},"patch":{"description":"partially update ephemeralcontainers of the specified Pod","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NamespacedPodEphemeralcontainers","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"Pod","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Pod","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/pods/{name}/eviction":{"post":{"description":"create eviction of a Pod","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"createCoreV1NamespacedPodEviction","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.Eviction"}}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.Eviction"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.Eviction"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.Eviction"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"policy","kind":"Eviction","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"uniqueItems":true,"type":"string","description":"name of the Eviction","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/pods/{name}/exec":{"get":{"description":"connect GET requests to exec of Pod","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1GetNamespacedPodExec","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"PodExecOptions","version":"v1"}},"post":{"description":"connect POST requests to exec of Pod","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PostNamespacedPodExec","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"PodExecOptions","version":"v1"}},"parameters":[{"$ref":"#/parameters/command-Py3eQybp"},{"$ref":"#/parameters/container-i5dOmRiM"},{"uniqueItems":true,"type":"string","description":"name of the PodExecOptions","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/stderr-W_1TNlWc"},{"$ref":"#/parameters/stdin-PSzNhyUC"},{"$ref":"#/parameters/stdout--EZLRwV1"},{"$ref":"#/parameters/tty-s0flW37O"}]},"/api/v1/namespaces/{namespace}/pods/{name}/log":{"get":{"description":"read log of the specified Pod","consumes":["*/*"],"produces":["text/plain","application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespacedPodLog","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"Pod","version":"v1"}},"parameters":[{"$ref":"#/parameters/container-1GeXxFDC"},{"$ref":"#/parameters/follow-9OIXh_2R"},{"$ref":"#/parameters/insecureSkipTLSVerifyBackend-gM00jVbe"},{"$ref":"#/parameters/limitBytes-zwd1RXuc"},{"uniqueItems":true,"type":"string","description":"name of the Pod","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/previous-1jxDPu3y"},{"$ref":"#/parameters/sinceSeconds-vE2NLdnP"},{"$ref":"#/parameters/tailLines-2fRTNzbP"},{"$ref":"#/parameters/timestamps-c17fW1w_"}]},"/api/v1/namespaces/{namespace}/pods/{name}/portforward":{"get":{"description":"connect GET requests to portforward of Pod","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1GetNamespacedPodPortforward","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"PodPortForwardOptions","version":"v1"}},"post":{"description":"connect POST requests to portforward of Pod","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PostNamespacedPodPortforward","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"PodPortForwardOptions","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the PodPortForwardOptions","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/ports-91KROJmm"}]},"/api/v1/namespaces/{namespace}/pods/{name}/proxy":{"get":{"description":"connect GET requests to proxy of Pod","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1GetNamespacedPodProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"PodProxyOptions","version":"v1"}},"put":{"description":"connect PUT requests to proxy of Pod","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PutNamespacedPodProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"PodProxyOptions","version":"v1"}},"post":{"description":"connect POST requests to proxy of Pod","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PostNamespacedPodProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"PodProxyOptions","version":"v1"}},"delete":{"description":"connect DELETE requests to proxy of Pod","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1DeleteNamespacedPodProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"PodProxyOptions","version":"v1"}},"options":{"description":"connect OPTIONS requests to proxy of Pod","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1OptionsNamespacedPodProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"PodProxyOptions","version":"v1"}},"head":{"description":"connect HEAD requests to proxy of Pod","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1HeadNamespacedPodProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"PodProxyOptions","version":"v1"}},"patch":{"description":"connect PATCH requests to proxy of Pod","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PatchNamespacedPodProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"PodProxyOptions","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the PodProxyOptions","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/path-oPbzgLUj"}]},"/api/v1/namespaces/{namespace}/pods/{name}/proxy/{path}":{"get":{"description":"connect GET requests to proxy of Pod","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1GetNamespacedPodProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"PodProxyOptions","version":"v1"}},"put":{"description":"connect PUT requests to proxy of Pod","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PutNamespacedPodProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"PodProxyOptions","version":"v1"}},"post":{"description":"connect POST requests to proxy of Pod","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PostNamespacedPodProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"PodProxyOptions","version":"v1"}},"delete":{"description":"connect DELETE requests to proxy of Pod","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1DeleteNamespacedPodProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"PodProxyOptions","version":"v1"}},"options":{"description":"connect OPTIONS requests to proxy of Pod","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1OptionsNamespacedPodProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"PodProxyOptions","version":"v1"}},"head":{"description":"connect HEAD requests to proxy of Pod","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1HeadNamespacedPodProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"PodProxyOptions","version":"v1"}},"patch":{"description":"connect PATCH requests to proxy of Pod","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PatchNamespacedPodProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"PodProxyOptions","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the PodProxyOptions","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/path-z6Ciiujn"},{"$ref":"#/parameters/path-oPbzgLUj"}]},"/api/v1/namespaces/{namespace}/pods/{name}/status":{"get":{"description":"read status of the specified Pod","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespacedPodStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"Pod","version":"v1"}},"put":{"description":"replace status of the specified Pod","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespacedPodStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"Pod","version":"v1"}},"patch":{"description":"partially update status of the specified Pod","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NamespacedPodStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"Pod","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Pod","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/podtemplates":{"get":{"description":"list or watch objects of kind PodTemplate","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1NamespacedPodTemplate","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PodTemplateList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"PodTemplate","version":"v1"}},"post":{"description":"create a PodTemplate","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"createCoreV1NamespacedPodTemplate","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PodTemplate"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PodTemplate"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PodTemplate"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PodTemplate"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"","kind":"PodTemplate","version":"v1"}},"delete":{"description":"delete collection of PodTemplate","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1CollectionNamespacedPodTemplate","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"","kind":"PodTemplate","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/podtemplates/{name}":{"get":{"description":"read the specified PodTemplate","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespacedPodTemplate","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PodTemplate"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"PodTemplate","version":"v1"}},"put":{"description":"replace the specified PodTemplate","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespacedPodTemplate","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PodTemplate"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PodTemplate"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PodTemplate"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"PodTemplate","version":"v1"}},"delete":{"description":"delete a PodTemplate","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1NamespacedPodTemplate","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PodTemplate"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PodTemplate"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"","kind":"PodTemplate","version":"v1"}},"patch":{"description":"partially update the specified PodTemplate","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NamespacedPodTemplate","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PodTemplate"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PodTemplate"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"PodTemplate","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the PodTemplate","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/replicationcontrollers":{"get":{"description":"list or watch objects of kind ReplicationController","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1NamespacedReplicationController","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationControllerList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"ReplicationController","version":"v1"}},"post":{"description":"create a ReplicationController","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"createCoreV1NamespacedReplicationController","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationController"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationController"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationController"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationController"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"","kind":"ReplicationController","version":"v1"}},"delete":{"description":"delete collection of ReplicationController","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1CollectionNamespacedReplicationController","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"","kind":"ReplicationController","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/replicationcontrollers/{name}":{"get":{"description":"read the specified ReplicationController","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespacedReplicationController","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationController"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"ReplicationController","version":"v1"}},"put":{"description":"replace the specified ReplicationController","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespacedReplicationController","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationController"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationController"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationController"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"ReplicationController","version":"v1"}},"delete":{"description":"delete a ReplicationController","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1NamespacedReplicationController","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"","kind":"ReplicationController","version":"v1"}},"patch":{"description":"partially update the specified ReplicationController","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NamespacedReplicationController","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationController"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationController"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"ReplicationController","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ReplicationController","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/replicationcontrollers/{name}/scale":{"get":{"description":"read scale of the specified ReplicationController","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespacedReplicationControllerScale","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"Scale","version":"v1"}},"put":{"description":"replace scale of the specified ReplicationController","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespacedReplicationControllerScale","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"Scale","version":"v1"}},"patch":{"description":"partially update scale of the specified ReplicationController","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NamespacedReplicationControllerScale","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"Scale","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Scale","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/replicationcontrollers/{name}/status":{"get":{"description":"read status of the specified ReplicationController","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespacedReplicationControllerStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationController"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"ReplicationController","version":"v1"}},"put":{"description":"replace status of the specified ReplicationController","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespacedReplicationControllerStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationController"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationController"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationController"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"ReplicationController","version":"v1"}},"patch":{"description":"partially update status of the specified ReplicationController","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NamespacedReplicationControllerStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationController"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationController"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"ReplicationController","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ReplicationController","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/resourcequotas":{"get":{"description":"list or watch objects of kind ResourceQuota","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1NamespacedResourceQuota","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuotaList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"ResourceQuota","version":"v1"}},"post":{"description":"create a ResourceQuota","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"createCoreV1NamespacedResourceQuota","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"","kind":"ResourceQuota","version":"v1"}},"delete":{"description":"delete collection of ResourceQuota","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1CollectionNamespacedResourceQuota","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"","kind":"ResourceQuota","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/resourcequotas/{name}":{"get":{"description":"read the specified ResourceQuota","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespacedResourceQuota","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"ResourceQuota","version":"v1"}},"put":{"description":"replace the specified ResourceQuota","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespacedResourceQuota","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"ResourceQuota","version":"v1"}},"delete":{"description":"delete a ResourceQuota","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1NamespacedResourceQuota","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"","kind":"ResourceQuota","version":"v1"}},"patch":{"description":"partially update the specified ResourceQuota","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NamespacedResourceQuota","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"ResourceQuota","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ResourceQuota","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/resourcequotas/{name}/status":{"get":{"description":"read status of the specified ResourceQuota","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespacedResourceQuotaStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"ResourceQuota","version":"v1"}},"put":{"description":"replace status of the specified ResourceQuota","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespacedResourceQuotaStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"ResourceQuota","version":"v1"}},"patch":{"description":"partially update status of the specified ResourceQuota","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NamespacedResourceQuotaStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"ResourceQuota","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ResourceQuota","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/secrets":{"get":{"description":"list or watch objects of kind Secret","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1NamespacedSecret","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.SecretList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"Secret","version":"v1"}},"post":{"description":"create a Secret","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"createCoreV1NamespacedSecret","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Secret"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Secret"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Secret"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Secret"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"","kind":"Secret","version":"v1"}},"delete":{"description":"delete collection of Secret","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1CollectionNamespacedSecret","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"","kind":"Secret","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/secrets/{name}":{"get":{"description":"read the specified Secret","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespacedSecret","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Secret"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"Secret","version":"v1"}},"put":{"description":"replace the specified Secret","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespacedSecret","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Secret"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Secret"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Secret"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"Secret","version":"v1"}},"delete":{"description":"delete a Secret","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1NamespacedSecret","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"","kind":"Secret","version":"v1"}},"patch":{"description":"partially update the specified Secret","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NamespacedSecret","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Secret"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Secret"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"Secret","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Secret","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/serviceaccounts":{"get":{"description":"list or watch objects of kind ServiceAccount","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1NamespacedServiceAccount","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ServiceAccountList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceAccount","version":"v1"}},"post":{"description":"create a ServiceAccount","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"createCoreV1NamespacedServiceAccount","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ServiceAccount"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ServiceAccount"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ServiceAccount"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ServiceAccount"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceAccount","version":"v1"}},"delete":{"description":"delete collection of ServiceAccount","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1CollectionNamespacedServiceAccount","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceAccount","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/serviceaccounts/{name}":{"get":{"description":"read the specified ServiceAccount","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespacedServiceAccount","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ServiceAccount"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceAccount","version":"v1"}},"put":{"description":"replace the specified ServiceAccount","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespacedServiceAccount","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ServiceAccount"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ServiceAccount"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ServiceAccount"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceAccount","version":"v1"}},"delete":{"description":"delete a ServiceAccount","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1NamespacedServiceAccount","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ServiceAccount"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ServiceAccount"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceAccount","version":"v1"}},"patch":{"description":"partially update the specified ServiceAccount","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NamespacedServiceAccount","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ServiceAccount"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ServiceAccount"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceAccount","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ServiceAccount","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/serviceaccounts/{name}/token":{"post":{"description":"create token of a ServiceAccount","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"createCoreV1NamespacedServiceAccountToken","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.authentication.v1.TokenRequest"}}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.authentication.v1.TokenRequest"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.authentication.v1.TokenRequest"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.authentication.v1.TokenRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"authentication.k8s.io","kind":"TokenRequest","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"uniqueItems":true,"type":"string","description":"name of the TokenRequest","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/services":{"get":{"description":"list or watch objects of kind Service","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1NamespacedService","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ServiceList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"Service","version":"v1"}},"post":{"description":"create a Service","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"createCoreV1NamespacedService","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"","kind":"Service","version":"v1"}},"delete":{"description":"delete collection of Service","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1CollectionNamespacedService","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"","kind":"Service","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/services/{name}":{"get":{"description":"read the specified Service","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespacedService","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"Service","version":"v1"}},"put":{"description":"replace the specified Service","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespacedService","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"Service","version":"v1"}},"delete":{"description":"delete a Service","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1NamespacedService","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"","kind":"Service","version":"v1"}},"patch":{"description":"partially update the specified Service","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NamespacedService","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"Service","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Service","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{namespace}/services/{name}/proxy":{"get":{"description":"connect GET requests to proxy of Service","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1GetNamespacedServiceProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceProxyOptions","version":"v1"}},"put":{"description":"connect PUT requests to proxy of Service","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PutNamespacedServiceProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceProxyOptions","version":"v1"}},"post":{"description":"connect POST requests to proxy of Service","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PostNamespacedServiceProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceProxyOptions","version":"v1"}},"delete":{"description":"connect DELETE requests to proxy of Service","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1DeleteNamespacedServiceProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceProxyOptions","version":"v1"}},"options":{"description":"connect OPTIONS requests to proxy of Service","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1OptionsNamespacedServiceProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceProxyOptions","version":"v1"}},"head":{"description":"connect HEAD requests to proxy of Service","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1HeadNamespacedServiceProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceProxyOptions","version":"v1"}},"patch":{"description":"connect PATCH requests to proxy of Service","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PatchNamespacedServiceProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceProxyOptions","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ServiceProxyOptions","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/path-QCf0eosM"}]},"/api/v1/namespaces/{namespace}/services/{name}/proxy/{path}":{"get":{"description":"connect GET requests to proxy of Service","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1GetNamespacedServiceProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceProxyOptions","version":"v1"}},"put":{"description":"connect PUT requests to proxy of Service","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PutNamespacedServiceProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceProxyOptions","version":"v1"}},"post":{"description":"connect POST requests to proxy of Service","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PostNamespacedServiceProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceProxyOptions","version":"v1"}},"delete":{"description":"connect DELETE requests to proxy of Service","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1DeleteNamespacedServiceProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceProxyOptions","version":"v1"}},"options":{"description":"connect OPTIONS requests to proxy of Service","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1OptionsNamespacedServiceProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceProxyOptions","version":"v1"}},"head":{"description":"connect HEAD requests to proxy of Service","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1HeadNamespacedServiceProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceProxyOptions","version":"v1"}},"patch":{"description":"connect PATCH requests to proxy of Service","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PatchNamespacedServiceProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceProxyOptions","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ServiceProxyOptions","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/path-z6Ciiujn"},{"$ref":"#/parameters/path-QCf0eosM"}]},"/api/v1/namespaces/{namespace}/services/{name}/status":{"get":{"description":"read status of the specified Service","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespacedServiceStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"Service","version":"v1"}},"put":{"description":"replace status of the specified Service","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespacedServiceStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"Service","version":"v1"}},"patch":{"description":"partially update status of the specified Service","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NamespacedServiceStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"Service","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Service","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{name}":{"get":{"description":"read the specified Namespace","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1Namespace","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"Namespace","version":"v1"}},"put":{"description":"replace the specified Namespace","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1Namespace","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"Namespace","version":"v1"}},"delete":{"description":"delete a Namespace","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1Namespace","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"","kind":"Namespace","version":"v1"}},"patch":{"description":"partially update the specified Namespace","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1Namespace","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"Namespace","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Namespace","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{name}/finalize":{"put":{"description":"replace finalize of the specified Namespace","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespaceFinalize","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"Namespace","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"uniqueItems":true,"type":"string","description":"name of the Namespace","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/namespaces/{name}/status":{"get":{"description":"read status of the specified Namespace","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NamespaceStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"Namespace","version":"v1"}},"put":{"description":"replace status of the specified Namespace","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NamespaceStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"Namespace","version":"v1"}},"patch":{"description":"partially update status of the specified Namespace","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NamespaceStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"Namespace","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Namespace","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/nodes":{"get":{"description":"list or watch objects of kind Node","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1Node","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"Node","version":"v1"}},"post":{"description":"create a Node","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"createCoreV1Node","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Node"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Node"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Node"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Node"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"","kind":"Node","version":"v1"}},"delete":{"description":"delete collection of Node","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1CollectionNode","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"","kind":"Node","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/nodes/{name}":{"get":{"description":"read the specified Node","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1Node","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Node"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"Node","version":"v1"}},"put":{"description":"replace the specified Node","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1Node","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Node"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Node"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Node"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"Node","version":"v1"}},"delete":{"description":"delete a Node","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1Node","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"","kind":"Node","version":"v1"}},"patch":{"description":"partially update the specified Node","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1Node","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Node"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Node"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"Node","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Node","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/nodes/{name}/proxy":{"get":{"description":"connect GET requests to proxy of Node","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1GetNodeProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"NodeProxyOptions","version":"v1"}},"put":{"description":"connect PUT requests to proxy of Node","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PutNodeProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"NodeProxyOptions","version":"v1"}},"post":{"description":"connect POST requests to proxy of Node","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PostNodeProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"NodeProxyOptions","version":"v1"}},"delete":{"description":"connect DELETE requests to proxy of Node","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1DeleteNodeProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"NodeProxyOptions","version":"v1"}},"options":{"description":"connect OPTIONS requests to proxy of Node","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1OptionsNodeProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"NodeProxyOptions","version":"v1"}},"head":{"description":"connect HEAD requests to proxy of Node","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1HeadNodeProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"NodeProxyOptions","version":"v1"}},"patch":{"description":"connect PATCH requests to proxy of Node","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PatchNodeProxy","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"NodeProxyOptions","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the NodeProxyOptions","name":"name","in":"path","required":true},{"$ref":"#/parameters/path-rFDtV0x9"}]},"/api/v1/nodes/{name}/proxy/{path}":{"get":{"description":"connect GET requests to proxy of Node","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1GetNodeProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"NodeProxyOptions","version":"v1"}},"put":{"description":"connect PUT requests to proxy of Node","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PutNodeProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"NodeProxyOptions","version":"v1"}},"post":{"description":"connect POST requests to proxy of Node","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PostNodeProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"NodeProxyOptions","version":"v1"}},"delete":{"description":"connect DELETE requests to proxy of Node","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1DeleteNodeProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"NodeProxyOptions","version":"v1"}},"options":{"description":"connect OPTIONS requests to proxy of Node","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1OptionsNodeProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"NodeProxyOptions","version":"v1"}},"head":{"description":"connect HEAD requests to proxy of Node","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1HeadNodeProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"NodeProxyOptions","version":"v1"}},"patch":{"description":"connect PATCH requests to proxy of Node","consumes":["*/*"],"produces":["*/*"],"schemes":["https"],"tags":["core_v1"],"operationId":"connectCoreV1PatchNodeProxyWithPath","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"connect","x-kubernetes-group-version-kind":{"group":"","kind":"NodeProxyOptions","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the NodeProxyOptions","name":"name","in":"path","required":true},{"$ref":"#/parameters/path-z6Ciiujn"},{"$ref":"#/parameters/path-rFDtV0x9"}]},"/api/v1/nodes/{name}/status":{"get":{"description":"read status of the specified Node","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1NodeStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Node"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"Node","version":"v1"}},"put":{"description":"replace status of the specified Node","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1NodeStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Node"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Node"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Node"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"Node","version":"v1"}},"patch":{"description":"partially update status of the specified Node","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1NodeStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Node"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.Node"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"Node","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Node","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/persistentvolumeclaims":{"get":{"description":"list or watch objects of kind PersistentVolumeClaim","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1PersistentVolumeClaimForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolumeClaim","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/persistentvolumes":{"get":{"description":"list or watch objects of kind PersistentVolume","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1PersistentVolume","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolume","version":"v1"}},"post":{"description":"create a PersistentVolume","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"createCoreV1PersistentVolume","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolume","version":"v1"}},"delete":{"description":"delete collection of PersistentVolume","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1CollectionPersistentVolume","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolume","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/persistentvolumes/{name}":{"get":{"description":"read the specified PersistentVolume","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1PersistentVolume","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolume","version":"v1"}},"put":{"description":"replace the specified PersistentVolume","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1PersistentVolume","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolume","version":"v1"}},"delete":{"description":"delete a PersistentVolume","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"deleteCoreV1PersistentVolume","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolume","version":"v1"}},"patch":{"description":"partially update the specified PersistentVolume","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1PersistentVolume","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolume","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the PersistentVolume","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/persistentvolumes/{name}/status":{"get":{"description":"read status of the specified PersistentVolume","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"readCoreV1PersistentVolumeStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolume","version":"v1"}},"put":{"description":"replace status of the specified PersistentVolume","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"replaceCoreV1PersistentVolumeStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolume","version":"v1"}},"patch":{"description":"partially update status of the specified PersistentVolume","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["core_v1"],"operationId":"patchCoreV1PersistentVolumeStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolume","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the PersistentVolume","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/api/v1/pods":{"get":{"description":"list or watch objects of kind Pod","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1PodForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PodList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"Pod","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/podtemplates":{"get":{"description":"list or watch objects of kind PodTemplate","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1PodTemplateForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.PodTemplateList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"PodTemplate","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/replicationcontrollers":{"get":{"description":"list or watch objects of kind ReplicationController","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1ReplicationControllerForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationControllerList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"ReplicationController","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/resourcequotas":{"get":{"description":"list or watch objects of kind ResourceQuota","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1ResourceQuotaForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuotaList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"ResourceQuota","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/secrets":{"get":{"description":"list or watch objects of kind Secret","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1SecretForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.SecretList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"Secret","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/serviceaccounts":{"get":{"description":"list or watch objects of kind ServiceAccount","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1ServiceAccountForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ServiceAccountList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceAccount","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/services":{"get":{"description":"list or watch objects of kind Service","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"listCoreV1ServiceForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.core.v1.ServiceList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"","kind":"Service","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/configmaps":{"get":{"description":"watch individual changes to a list of ConfigMap. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1ConfigMapListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"ConfigMap","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/endpoints":{"get":{"description":"watch individual changes to a list of Endpoints. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1EndpointsListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"Endpoints","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/events":{"get":{"description":"watch individual changes to a list of Event. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1EventListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"Event","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/limitranges":{"get":{"description":"watch individual changes to a list of LimitRange. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1LimitRangeListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"LimitRange","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces":{"get":{"description":"watch individual changes to a list of Namespace. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespaceList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"Namespace","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/configmaps":{"get":{"description":"watch individual changes to a list of ConfigMap. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedConfigMapList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"ConfigMap","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/configmaps/{name}":{"get":{"description":"watch changes to an object of kind ConfigMap. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedConfigMap","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"","kind":"ConfigMap","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the ConfigMap","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/endpoints":{"get":{"description":"watch individual changes to a list of Endpoints. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedEndpointsList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"Endpoints","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/endpoints/{name}":{"get":{"description":"watch changes to an object of kind Endpoints. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedEndpoints","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"","kind":"Endpoints","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the Endpoints","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/events":{"get":{"description":"watch individual changes to a list of Event. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedEventList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"Event","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/events/{name}":{"get":{"description":"watch changes to an object of kind Event. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedEvent","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"","kind":"Event","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the Event","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/limitranges":{"get":{"description":"watch individual changes to a list of LimitRange. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedLimitRangeList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"LimitRange","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/limitranges/{name}":{"get":{"description":"watch changes to an object of kind LimitRange. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedLimitRange","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"","kind":"LimitRange","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the LimitRange","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/persistentvolumeclaims":{"get":{"description":"watch individual changes to a list of PersistentVolumeClaim. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedPersistentVolumeClaimList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolumeClaim","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/persistentvolumeclaims/{name}":{"get":{"description":"watch changes to an object of kind PersistentVolumeClaim. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedPersistentVolumeClaim","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolumeClaim","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the PersistentVolumeClaim","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/pods":{"get":{"description":"watch individual changes to a list of Pod. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedPodList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"Pod","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/pods/{name}":{"get":{"description":"watch changes to an object of kind Pod. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedPod","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"","kind":"Pod","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the Pod","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/podtemplates":{"get":{"description":"watch individual changes to a list of PodTemplate. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedPodTemplateList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"PodTemplate","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/podtemplates/{name}":{"get":{"description":"watch changes to an object of kind PodTemplate. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedPodTemplate","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"","kind":"PodTemplate","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the PodTemplate","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/replicationcontrollers":{"get":{"description":"watch individual changes to a list of ReplicationController. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedReplicationControllerList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"ReplicationController","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/replicationcontrollers/{name}":{"get":{"description":"watch changes to an object of kind ReplicationController. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedReplicationController","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"","kind":"ReplicationController","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the ReplicationController","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/resourcequotas":{"get":{"description":"watch individual changes to a list of ResourceQuota. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedResourceQuotaList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"ResourceQuota","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/resourcequotas/{name}":{"get":{"description":"watch changes to an object of kind ResourceQuota. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedResourceQuota","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"","kind":"ResourceQuota","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the ResourceQuota","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/secrets":{"get":{"description":"watch individual changes to a list of Secret. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedSecretList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"Secret","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/secrets/{name}":{"get":{"description":"watch changes to an object of kind Secret. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedSecret","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"","kind":"Secret","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the Secret","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/serviceaccounts":{"get":{"description":"watch individual changes to a list of ServiceAccount. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedServiceAccountList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceAccount","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/serviceaccounts/{name}":{"get":{"description":"watch changes to an object of kind ServiceAccount. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedServiceAccount","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceAccount","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the ServiceAccount","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/services":{"get":{"description":"watch individual changes to a list of Service. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedServiceList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"Service","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{namespace}/services/{name}":{"get":{"description":"watch changes to an object of kind Service. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NamespacedService","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"","kind":"Service","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the Service","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/namespaces/{name}":{"get":{"description":"watch changes to an object of kind Namespace. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1Namespace","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"","kind":"Namespace","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the Namespace","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/nodes":{"get":{"description":"watch individual changes to a list of Node. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1NodeList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"Node","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/nodes/{name}":{"get":{"description":"watch changes to an object of kind Node. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1Node","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"","kind":"Node","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the Node","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/persistentvolumeclaims":{"get":{"description":"watch individual changes to a list of PersistentVolumeClaim. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1PersistentVolumeClaimListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolumeClaim","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/persistentvolumes":{"get":{"description":"watch individual changes to a list of PersistentVolume. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1PersistentVolumeList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolume","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/persistentvolumes/{name}":{"get":{"description":"watch changes to an object of kind PersistentVolume. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1PersistentVolume","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"","kind":"PersistentVolume","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the PersistentVolume","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/pods":{"get":{"description":"watch individual changes to a list of Pod. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1PodListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"Pod","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/podtemplates":{"get":{"description":"watch individual changes to a list of PodTemplate. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1PodTemplateListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"PodTemplate","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/replicationcontrollers":{"get":{"description":"watch individual changes to a list of ReplicationController. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1ReplicationControllerListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"ReplicationController","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/resourcequotas":{"get":{"description":"watch individual changes to a list of ResourceQuota. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1ResourceQuotaListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"ResourceQuota","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/secrets":{"get":{"description":"watch individual changes to a list of Secret. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1SecretListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"Secret","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/serviceaccounts":{"get":{"description":"watch individual changes to a list of ServiceAccount. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1ServiceAccountListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"ServiceAccount","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/api/v1/watch/services":{"get":{"description":"watch individual changes to a list of Service. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["core_v1"],"operationId":"watchCoreV1ServiceListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"","kind":"Service","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/":{"get":{"description":"get available API versions","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apis"],"operationId":"getAPIVersions","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroupList"}},"401":{"description":"Unauthorized"}}}},"/apis/admissionregistration.k8s.io/":{"get":{"description":"get information of a group","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration"],"operationId":"getAdmissionregistrationAPIGroup","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"}},"401":{"description":"Unauthorized"}}}},"/apis/admissionregistration.k8s.io/v1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"getAdmissionregistrationV1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations":{"get":{"description":"list or watch objects of kind MutatingWebhookConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"listAdmissionregistrationV1MutatingWebhookConfiguration","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"MutatingWebhookConfiguration","version":"v1"}},"post":{"description":"create a MutatingWebhookConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"createAdmissionregistrationV1MutatingWebhookConfiguration","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"MutatingWebhookConfiguration","version":"v1"}},"delete":{"description":"delete collection of MutatingWebhookConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"deleteAdmissionregistrationV1CollectionMutatingWebhookConfiguration","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"MutatingWebhookConfiguration","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations/{name}":{"get":{"description":"read the specified MutatingWebhookConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"readAdmissionregistrationV1MutatingWebhookConfiguration","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"MutatingWebhookConfiguration","version":"v1"}},"put":{"description":"replace the specified MutatingWebhookConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"replaceAdmissionregistrationV1MutatingWebhookConfiguration","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"MutatingWebhookConfiguration","version":"v1"}},"delete":{"description":"delete a MutatingWebhookConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"deleteAdmissionregistrationV1MutatingWebhookConfiguration","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"MutatingWebhookConfiguration","version":"v1"}},"patch":{"description":"partially update the specified MutatingWebhookConfiguration","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"patchAdmissionregistrationV1MutatingWebhookConfiguration","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"MutatingWebhookConfiguration","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the MutatingWebhookConfiguration","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/admissionregistration.k8s.io/v1/validatingadmissionpolicies":{"get":{"description":"list or watch objects of kind ValidatingAdmissionPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"listAdmissionregistrationV1ValidatingAdmissionPolicy","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1"}},"post":{"description":"create a ValidatingAdmissionPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"createAdmissionregistrationV1ValidatingAdmissionPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1"}},"delete":{"description":"delete collection of ValidatingAdmissionPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"deleteAdmissionregistrationV1CollectionValidatingAdmissionPolicy","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/admissionregistration.k8s.io/v1/validatingadmissionpolicies/{name}":{"get":{"description":"read the specified ValidatingAdmissionPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"readAdmissionregistrationV1ValidatingAdmissionPolicy","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1"}},"put":{"description":"replace the specified ValidatingAdmissionPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"replaceAdmissionregistrationV1ValidatingAdmissionPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1"}},"delete":{"description":"delete a ValidatingAdmissionPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"deleteAdmissionregistrationV1ValidatingAdmissionPolicy","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1"}},"patch":{"description":"partially update the specified ValidatingAdmissionPolicy","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"patchAdmissionregistrationV1ValidatingAdmissionPolicy","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ValidatingAdmissionPolicy","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/admissionregistration.k8s.io/v1/validatingadmissionpolicies/{name}/status":{"get":{"description":"read status of the specified ValidatingAdmissionPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"readAdmissionregistrationV1ValidatingAdmissionPolicyStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1"}},"put":{"description":"replace status of the specified ValidatingAdmissionPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"replaceAdmissionregistrationV1ValidatingAdmissionPolicyStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1"}},"patch":{"description":"partially update status of the specified ValidatingAdmissionPolicy","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"patchAdmissionregistrationV1ValidatingAdmissionPolicyStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ValidatingAdmissionPolicy","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/admissionregistration.k8s.io/v1/validatingadmissionpolicybindings":{"get":{"description":"list or watch objects of kind ValidatingAdmissionPolicyBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"listAdmissionregistrationV1ValidatingAdmissionPolicyBinding","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBindingList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1"}},"post":{"description":"create a ValidatingAdmissionPolicyBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"createAdmissionregistrationV1ValidatingAdmissionPolicyBinding","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1"}},"delete":{"description":"delete collection of ValidatingAdmissionPolicyBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"deleteAdmissionregistrationV1CollectionValidatingAdmissionPolicyBinding","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/admissionregistration.k8s.io/v1/validatingadmissionpolicybindings/{name}":{"get":{"description":"read the specified ValidatingAdmissionPolicyBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"readAdmissionregistrationV1ValidatingAdmissionPolicyBinding","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1"}},"put":{"description":"replace the specified ValidatingAdmissionPolicyBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"replaceAdmissionregistrationV1ValidatingAdmissionPolicyBinding","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1"}},"delete":{"description":"delete a ValidatingAdmissionPolicyBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"deleteAdmissionregistrationV1ValidatingAdmissionPolicyBinding","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1"}},"patch":{"description":"partially update the specified ValidatingAdmissionPolicyBinding","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"patchAdmissionregistrationV1ValidatingAdmissionPolicyBinding","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ValidatingAdmissionPolicyBinding","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations":{"get":{"description":"list or watch objects of kind ValidatingWebhookConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"listAdmissionregistrationV1ValidatingWebhookConfiguration","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfigurationList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingWebhookConfiguration","version":"v1"}},"post":{"description":"create a ValidatingWebhookConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"createAdmissionregistrationV1ValidatingWebhookConfiguration","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingWebhookConfiguration","version":"v1"}},"delete":{"description":"delete collection of ValidatingWebhookConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"deleteAdmissionregistrationV1CollectionValidatingWebhookConfiguration","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingWebhookConfiguration","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations/{name}":{"get":{"description":"read the specified ValidatingWebhookConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"readAdmissionregistrationV1ValidatingWebhookConfiguration","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingWebhookConfiguration","version":"v1"}},"put":{"description":"replace the specified ValidatingWebhookConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"replaceAdmissionregistrationV1ValidatingWebhookConfiguration","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingWebhookConfiguration","version":"v1"}},"delete":{"description":"delete a ValidatingWebhookConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"deleteAdmissionregistrationV1ValidatingWebhookConfiguration","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingWebhookConfiguration","version":"v1"}},"patch":{"description":"partially update the specified ValidatingWebhookConfiguration","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"patchAdmissionregistrationV1ValidatingWebhookConfiguration","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingWebhookConfiguration","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ValidatingWebhookConfiguration","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/admissionregistration.k8s.io/v1/watch/mutatingwebhookconfigurations":{"get":{"description":"watch individual changes to a list of MutatingWebhookConfiguration. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"watchAdmissionregistrationV1MutatingWebhookConfigurationList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"MutatingWebhookConfiguration","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/admissionregistration.k8s.io/v1/watch/mutatingwebhookconfigurations/{name}":{"get":{"description":"watch changes to an object of kind MutatingWebhookConfiguration. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"watchAdmissionregistrationV1MutatingWebhookConfiguration","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"MutatingWebhookConfiguration","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the MutatingWebhookConfiguration","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/admissionregistration.k8s.io/v1/watch/validatingadmissionpolicies":{"get":{"description":"watch individual changes to a list of ValidatingAdmissionPolicy. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"watchAdmissionregistrationV1ValidatingAdmissionPolicyList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/admissionregistration.k8s.io/v1/watch/validatingadmissionpolicies/{name}":{"get":{"description":"watch changes to an object of kind ValidatingAdmissionPolicy. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"watchAdmissionregistrationV1ValidatingAdmissionPolicy","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the ValidatingAdmissionPolicy","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/admissionregistration.k8s.io/v1/watch/validatingadmissionpolicybindings":{"get":{"description":"watch individual changes to a list of ValidatingAdmissionPolicyBinding. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"watchAdmissionregistrationV1ValidatingAdmissionPolicyBindingList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/admissionregistration.k8s.io/v1/watch/validatingadmissionpolicybindings/{name}":{"get":{"description":"watch changes to an object of kind ValidatingAdmissionPolicyBinding. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"watchAdmissionregistrationV1ValidatingAdmissionPolicyBinding","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the ValidatingAdmissionPolicyBinding","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/admissionregistration.k8s.io/v1/watch/validatingwebhookconfigurations":{"get":{"description":"watch individual changes to a list of ValidatingWebhookConfiguration. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"watchAdmissionregistrationV1ValidatingWebhookConfigurationList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingWebhookConfiguration","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/admissionregistration.k8s.io/v1/watch/validatingwebhookconfigurations/{name}":{"get":{"description":"watch changes to an object of kind ValidatingWebhookConfiguration. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["admissionregistration_v1"],"operationId":"watchAdmissionregistrationV1ValidatingWebhookConfiguration","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingWebhookConfiguration","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the ValidatingWebhookConfiguration","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/admissionregistration.k8s.io/v1beta1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"getAdmissionregistrationV1beta1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/admissionregistration.k8s.io/v1beta1/validatingadmissionpolicies":{"get":{"description":"list or watch objects of kind ValidatingAdmissionPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"listAdmissionregistrationV1beta1ValidatingAdmissionPolicy","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1beta1"}},"post":{"description":"create a ValidatingAdmissionPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"createAdmissionregistrationV1beta1ValidatingAdmissionPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1beta1"}},"delete":{"description":"delete collection of ValidatingAdmissionPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"deleteAdmissionregistrationV1beta1CollectionValidatingAdmissionPolicy","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1beta1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/admissionregistration.k8s.io/v1beta1/validatingadmissionpolicies/{name}":{"get":{"description":"read the specified ValidatingAdmissionPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"readAdmissionregistrationV1beta1ValidatingAdmissionPolicy","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1beta1"}},"put":{"description":"replace the specified ValidatingAdmissionPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"replaceAdmissionregistrationV1beta1ValidatingAdmissionPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1beta1"}},"delete":{"description":"delete a ValidatingAdmissionPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"deleteAdmissionregistrationV1beta1ValidatingAdmissionPolicy","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1beta1"}},"patch":{"description":"partially update the specified ValidatingAdmissionPolicy","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"patchAdmissionregistrationV1beta1ValidatingAdmissionPolicy","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1beta1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ValidatingAdmissionPolicy","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/admissionregistration.k8s.io/v1beta1/validatingadmissionpolicies/{name}/status":{"get":{"description":"read status of the specified ValidatingAdmissionPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"readAdmissionregistrationV1beta1ValidatingAdmissionPolicyStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1beta1"}},"put":{"description":"replace status of the specified ValidatingAdmissionPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"replaceAdmissionregistrationV1beta1ValidatingAdmissionPolicyStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1beta1"}},"patch":{"description":"partially update status of the specified ValidatingAdmissionPolicy","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"patchAdmissionregistrationV1beta1ValidatingAdmissionPolicyStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1beta1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ValidatingAdmissionPolicy","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/admissionregistration.k8s.io/v1beta1/validatingadmissionpolicybindings":{"get":{"description":"list or watch objects of kind ValidatingAdmissionPolicyBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"listAdmissionregistrationV1beta1ValidatingAdmissionPolicyBinding","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBindingList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1beta1"}},"post":{"description":"create a ValidatingAdmissionPolicyBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"createAdmissionregistrationV1beta1ValidatingAdmissionPolicyBinding","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBinding"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBinding"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBinding"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBinding"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1beta1"}},"delete":{"description":"delete collection of ValidatingAdmissionPolicyBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"deleteAdmissionregistrationV1beta1CollectionValidatingAdmissionPolicyBinding","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1beta1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/admissionregistration.k8s.io/v1beta1/validatingadmissionpolicybindings/{name}":{"get":{"description":"read the specified ValidatingAdmissionPolicyBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"readAdmissionregistrationV1beta1ValidatingAdmissionPolicyBinding","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBinding"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1beta1"}},"put":{"description":"replace the specified ValidatingAdmissionPolicyBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"replaceAdmissionregistrationV1beta1ValidatingAdmissionPolicyBinding","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBinding"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBinding"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBinding"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1beta1"}},"delete":{"description":"delete a ValidatingAdmissionPolicyBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"deleteAdmissionregistrationV1beta1ValidatingAdmissionPolicyBinding","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1beta1"}},"patch":{"description":"partially update the specified ValidatingAdmissionPolicyBinding","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"patchAdmissionregistrationV1beta1ValidatingAdmissionPolicyBinding","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBinding"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBinding"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1beta1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ValidatingAdmissionPolicyBinding","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/admissionregistration.k8s.io/v1beta1/watch/validatingadmissionpolicies":{"get":{"description":"watch individual changes to a list of ValidatingAdmissionPolicy. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"watchAdmissionregistrationV1beta1ValidatingAdmissionPolicyList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1beta1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/admissionregistration.k8s.io/v1beta1/watch/validatingadmissionpolicies/{name}":{"get":{"description":"watch changes to an object of kind ValidatingAdmissionPolicy. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"watchAdmissionregistrationV1beta1ValidatingAdmissionPolicy","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1beta1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the ValidatingAdmissionPolicy","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/admissionregistration.k8s.io/v1beta1/watch/validatingadmissionpolicybindings":{"get":{"description":"watch individual changes to a list of ValidatingAdmissionPolicyBinding. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"watchAdmissionregistrationV1beta1ValidatingAdmissionPolicyBindingList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1beta1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/admissionregistration.k8s.io/v1beta1/watch/validatingadmissionpolicybindings/{name}":{"get":{"description":"watch changes to an object of kind ValidatingAdmissionPolicyBinding. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["admissionregistration_v1beta1"],"operationId":"watchAdmissionregistrationV1beta1ValidatingAdmissionPolicyBinding","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1beta1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the ValidatingAdmissionPolicyBinding","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apiextensions.k8s.io/":{"get":{"description":"get information of a group","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiextensions"],"operationId":"getApiextensionsAPIGroup","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"}},"401":{"description":"Unauthorized"}}}},"/apis/apiextensions.k8s.io/v1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiextensions_v1"],"operationId":"getApiextensionsV1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/apiextensions.k8s.io/v1/customresourcedefinitions":{"get":{"description":"list or watch objects of kind CustomResourceDefinition","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apiextensions_v1"],"operationId":"listApiextensionsV1CustomResourceDefinition","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"apiextensions.k8s.io","kind":"CustomResourceDefinition","version":"v1"}},"post":{"description":"create a CustomResourceDefinition","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiextensions_v1"],"operationId":"createApiextensionsV1CustomResourceDefinition","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"apiextensions.k8s.io","kind":"CustomResourceDefinition","version":"v1"}},"delete":{"description":"delete collection of CustomResourceDefinition","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiextensions_v1"],"operationId":"deleteApiextensionsV1CollectionCustomResourceDefinition","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"apiextensions.k8s.io","kind":"CustomResourceDefinition","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apiextensions.k8s.io/v1/customresourcedefinitions/{name}":{"get":{"description":"read the specified CustomResourceDefinition","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiextensions_v1"],"operationId":"readApiextensionsV1CustomResourceDefinition","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"apiextensions.k8s.io","kind":"CustomResourceDefinition","version":"v1"}},"put":{"description":"replace the specified CustomResourceDefinition","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiextensions_v1"],"operationId":"replaceApiextensionsV1CustomResourceDefinition","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"apiextensions.k8s.io","kind":"CustomResourceDefinition","version":"v1"}},"delete":{"description":"delete a CustomResourceDefinition","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiextensions_v1"],"operationId":"deleteApiextensionsV1CustomResourceDefinition","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"apiextensions.k8s.io","kind":"CustomResourceDefinition","version":"v1"}},"patch":{"description":"partially update the specified CustomResourceDefinition","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiextensions_v1"],"operationId":"patchApiextensionsV1CustomResourceDefinition","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"apiextensions.k8s.io","kind":"CustomResourceDefinition","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the CustomResourceDefinition","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apiextensions.k8s.io/v1/customresourcedefinitions/{name}/status":{"get":{"description":"read status of the specified CustomResourceDefinition","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiextensions_v1"],"operationId":"readApiextensionsV1CustomResourceDefinitionStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"apiextensions.k8s.io","kind":"CustomResourceDefinition","version":"v1"}},"put":{"description":"replace status of the specified CustomResourceDefinition","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiextensions_v1"],"operationId":"replaceApiextensionsV1CustomResourceDefinitionStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"apiextensions.k8s.io","kind":"CustomResourceDefinition","version":"v1"}},"patch":{"description":"partially update status of the specified CustomResourceDefinition","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiextensions_v1"],"operationId":"patchApiextensionsV1CustomResourceDefinitionStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"apiextensions.k8s.io","kind":"CustomResourceDefinition","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the CustomResourceDefinition","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apiextensions.k8s.io/v1/watch/customresourcedefinitions":{"get":{"description":"watch individual changes to a list of CustomResourceDefinition. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apiextensions_v1"],"operationId":"watchApiextensionsV1CustomResourceDefinitionList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"apiextensions.k8s.io","kind":"CustomResourceDefinition","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apiextensions.k8s.io/v1/watch/customresourcedefinitions/{name}":{"get":{"description":"watch changes to an object of kind CustomResourceDefinition. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apiextensions_v1"],"operationId":"watchApiextensionsV1CustomResourceDefinition","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"apiextensions.k8s.io","kind":"CustomResourceDefinition","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the CustomResourceDefinition","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apiregistration.k8s.io/":{"get":{"description":"get information of a group","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiregistration"],"operationId":"getApiregistrationAPIGroup","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"}},"401":{"description":"Unauthorized"}}}},"/apis/apiregistration.k8s.io/v1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiregistration_v1"],"operationId":"getApiregistrationV1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/apiregistration.k8s.io/v1/apiservices":{"get":{"description":"list or watch objects of kind APIService","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apiregistration_v1"],"operationId":"listApiregistrationV1APIService","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"apiregistration.k8s.io","version":"v1","kind":"APIService"}},"post":{"description":"create an APIService","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiregistration_v1"],"operationId":"createApiregistrationV1APIService","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"apiregistration.k8s.io","version":"v1","kind":"APIService"}},"delete":{"description":"delete collection of APIService","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiregistration_v1"],"operationId":"deleteApiregistrationV1CollectionAPIService","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"apiregistration.k8s.io","version":"v1","kind":"APIService"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apiregistration.k8s.io/v1/apiservices/{name}":{"get":{"description":"read the specified APIService","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiregistration_v1"],"operationId":"readApiregistrationV1APIService","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"apiregistration.k8s.io","version":"v1","kind":"APIService"}},"put":{"description":"replace the specified APIService","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiregistration_v1"],"operationId":"replaceApiregistrationV1APIService","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"apiregistration.k8s.io","version":"v1","kind":"APIService"}},"delete":{"description":"delete an APIService","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiregistration_v1"],"operationId":"deleteApiregistrationV1APIService","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"apiregistration.k8s.io","version":"v1","kind":"APIService"}},"patch":{"description":"partially update the specified APIService","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiregistration_v1"],"operationId":"patchApiregistrationV1APIService","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"apiregistration.k8s.io","version":"v1","kind":"APIService"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the APIService","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apiregistration.k8s.io/v1/apiservices/{name}/status":{"get":{"description":"read status of the specified APIService","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiregistration_v1"],"operationId":"readApiregistrationV1APIServiceStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"apiregistration.k8s.io","version":"v1","kind":"APIService"}},"put":{"description":"replace status of the specified APIService","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiregistration_v1"],"operationId":"replaceApiregistrationV1APIServiceStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"apiregistration.k8s.io","version":"v1","kind":"APIService"}},"patch":{"description":"partially update status of the specified APIService","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apiregistration_v1"],"operationId":"patchApiregistrationV1APIServiceStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"apiregistration.k8s.io","version":"v1","kind":"APIService"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the APIService","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apiregistration.k8s.io/v1/watch/apiservices":{"get":{"description":"watch individual changes to a list of APIService. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apiregistration_v1"],"operationId":"watchApiregistrationV1APIServiceList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"apiregistration.k8s.io","version":"v1","kind":"APIService"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apiregistration.k8s.io/v1/watch/apiservices/{name}":{"get":{"description":"watch changes to an object of kind APIService. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apiregistration_v1"],"operationId":"watchApiregistrationV1APIService","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"apiregistration.k8s.io","version":"v1","kind":"APIService"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the APIService","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apps/":{"get":{"description":"get information of a group","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps"],"operationId":"getAppsAPIGroup","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"}},"401":{"description":"Unauthorized"}}}},"/apis/apps/v1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"getAppsV1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/apps/v1/controllerrevisions":{"get":{"description":"list or watch objects of kind ControllerRevision","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"listAppsV1ControllerRevisionForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ControllerRevisionList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"apps","kind":"ControllerRevision","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apps/v1/daemonsets":{"get":{"description":"list or watch objects of kind DaemonSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"listAppsV1DaemonSetForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSetList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"apps","kind":"DaemonSet","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apps/v1/deployments":{"get":{"description":"list or watch objects of kind Deployment","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"listAppsV1DeploymentForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.DeploymentList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"apps","kind":"Deployment","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apps/v1/namespaces/{namespace}/controllerrevisions":{"get":{"description":"list or watch objects of kind ControllerRevision","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"listAppsV1NamespacedControllerRevision","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ControllerRevisionList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"apps","kind":"ControllerRevision","version":"v1"}},"post":{"description":"create a ControllerRevision","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"createAppsV1NamespacedControllerRevision","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ControllerRevision"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ControllerRevision"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ControllerRevision"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ControllerRevision"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"apps","kind":"ControllerRevision","version":"v1"}},"delete":{"description":"delete collection of ControllerRevision","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"deleteAppsV1CollectionNamespacedControllerRevision","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"apps","kind":"ControllerRevision","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apps/v1/namespaces/{namespace}/controllerrevisions/{name}":{"get":{"description":"read the specified ControllerRevision","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"readAppsV1NamespacedControllerRevision","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ControllerRevision"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"apps","kind":"ControllerRevision","version":"v1"}},"put":{"description":"replace the specified ControllerRevision","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"replaceAppsV1NamespacedControllerRevision","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ControllerRevision"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ControllerRevision"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ControllerRevision"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"apps","kind":"ControllerRevision","version":"v1"}},"delete":{"description":"delete a ControllerRevision","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"deleteAppsV1NamespacedControllerRevision","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"apps","kind":"ControllerRevision","version":"v1"}},"patch":{"description":"partially update the specified ControllerRevision","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"patchAppsV1NamespacedControllerRevision","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ControllerRevision"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ControllerRevision"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"apps","kind":"ControllerRevision","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ControllerRevision","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apps/v1/namespaces/{namespace}/daemonsets":{"get":{"description":"list or watch objects of kind DaemonSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"listAppsV1NamespacedDaemonSet","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSetList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"apps","kind":"DaemonSet","version":"v1"}},"post":{"description":"create a DaemonSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"createAppsV1NamespacedDaemonSet","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSet"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSet"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSet"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"apps","kind":"DaemonSet","version":"v1"}},"delete":{"description":"delete collection of DaemonSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"deleteAppsV1CollectionNamespacedDaemonSet","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"apps","kind":"DaemonSet","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apps/v1/namespaces/{namespace}/daemonsets/{name}":{"get":{"description":"read the specified DaemonSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"readAppsV1NamespacedDaemonSet","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"apps","kind":"DaemonSet","version":"v1"}},"put":{"description":"replace the specified DaemonSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"replaceAppsV1NamespacedDaemonSet","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSet"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSet"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"apps","kind":"DaemonSet","version":"v1"}},"delete":{"description":"delete a DaemonSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"deleteAppsV1NamespacedDaemonSet","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"apps","kind":"DaemonSet","version":"v1"}},"patch":{"description":"partially update the specified DaemonSet","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"patchAppsV1NamespacedDaemonSet","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSet"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"apps","kind":"DaemonSet","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the DaemonSet","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apps/v1/namespaces/{namespace}/daemonsets/{name}/status":{"get":{"description":"read status of the specified DaemonSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"readAppsV1NamespacedDaemonSetStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"apps","kind":"DaemonSet","version":"v1"}},"put":{"description":"replace status of the specified DaemonSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"replaceAppsV1NamespacedDaemonSetStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSet"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSet"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"apps","kind":"DaemonSet","version":"v1"}},"patch":{"description":"partially update status of the specified DaemonSet","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"patchAppsV1NamespacedDaemonSetStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSet"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"apps","kind":"DaemonSet","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the DaemonSet","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apps/v1/namespaces/{namespace}/deployments":{"get":{"description":"list or watch objects of kind Deployment","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"listAppsV1NamespacedDeployment","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.DeploymentList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"apps","kind":"Deployment","version":"v1"}},"post":{"description":"create a Deployment","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"createAppsV1NamespacedDeployment","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.Deployment"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.Deployment"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.Deployment"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.Deployment"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"apps","kind":"Deployment","version":"v1"}},"delete":{"description":"delete collection of Deployment","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"deleteAppsV1CollectionNamespacedDeployment","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"apps","kind":"Deployment","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apps/v1/namespaces/{namespace}/deployments/{name}":{"get":{"description":"read the specified Deployment","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"readAppsV1NamespacedDeployment","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.Deployment"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"apps","kind":"Deployment","version":"v1"}},"put":{"description":"replace the specified Deployment","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"replaceAppsV1NamespacedDeployment","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.Deployment"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.Deployment"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.Deployment"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"apps","kind":"Deployment","version":"v1"}},"delete":{"description":"delete a Deployment","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"deleteAppsV1NamespacedDeployment","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"apps","kind":"Deployment","version":"v1"}},"patch":{"description":"partially update the specified Deployment","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"patchAppsV1NamespacedDeployment","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.Deployment"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.Deployment"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"apps","kind":"Deployment","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Deployment","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apps/v1/namespaces/{namespace}/deployments/{name}/scale":{"get":{"description":"read scale of the specified Deployment","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"readAppsV1NamespacedDeploymentScale","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"Scale","version":"v1"}},"put":{"description":"replace scale of the specified Deployment","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"replaceAppsV1NamespacedDeploymentScale","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"Scale","version":"v1"}},"patch":{"description":"partially update scale of the specified Deployment","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"patchAppsV1NamespacedDeploymentScale","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"Scale","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Scale","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apps/v1/namespaces/{namespace}/deployments/{name}/status":{"get":{"description":"read status of the specified Deployment","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"readAppsV1NamespacedDeploymentStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.Deployment"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"apps","kind":"Deployment","version":"v1"}},"put":{"description":"replace status of the specified Deployment","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"replaceAppsV1NamespacedDeploymentStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.Deployment"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.Deployment"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.Deployment"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"apps","kind":"Deployment","version":"v1"}},"patch":{"description":"partially update status of the specified Deployment","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"patchAppsV1NamespacedDeploymentStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.Deployment"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.Deployment"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"apps","kind":"Deployment","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Deployment","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apps/v1/namespaces/{namespace}/replicasets":{"get":{"description":"list or watch objects of kind ReplicaSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"listAppsV1NamespacedReplicaSet","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSetList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"apps","kind":"ReplicaSet","version":"v1"}},"post":{"description":"create a ReplicaSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"createAppsV1NamespacedReplicaSet","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSet"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSet"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSet"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"apps","kind":"ReplicaSet","version":"v1"}},"delete":{"description":"delete collection of ReplicaSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"deleteAppsV1CollectionNamespacedReplicaSet","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"apps","kind":"ReplicaSet","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apps/v1/namespaces/{namespace}/replicasets/{name}":{"get":{"description":"read the specified ReplicaSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"readAppsV1NamespacedReplicaSet","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"apps","kind":"ReplicaSet","version":"v1"}},"put":{"description":"replace the specified ReplicaSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"replaceAppsV1NamespacedReplicaSet","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSet"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSet"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"apps","kind":"ReplicaSet","version":"v1"}},"delete":{"description":"delete a ReplicaSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"deleteAppsV1NamespacedReplicaSet","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"apps","kind":"ReplicaSet","version":"v1"}},"patch":{"description":"partially update the specified ReplicaSet","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"patchAppsV1NamespacedReplicaSet","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSet"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"apps","kind":"ReplicaSet","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ReplicaSet","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apps/v1/namespaces/{namespace}/replicasets/{name}/scale":{"get":{"description":"read scale of the specified ReplicaSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"readAppsV1NamespacedReplicaSetScale","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"Scale","version":"v1"}},"put":{"description":"replace scale of the specified ReplicaSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"replaceAppsV1NamespacedReplicaSetScale","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"Scale","version":"v1"}},"patch":{"description":"partially update scale of the specified ReplicaSet","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"patchAppsV1NamespacedReplicaSetScale","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"Scale","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Scale","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apps/v1/namespaces/{namespace}/replicasets/{name}/status":{"get":{"description":"read status of the specified ReplicaSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"readAppsV1NamespacedReplicaSetStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"apps","kind":"ReplicaSet","version":"v1"}},"put":{"description":"replace status of the specified ReplicaSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"replaceAppsV1NamespacedReplicaSetStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSet"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSet"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"apps","kind":"ReplicaSet","version":"v1"}},"patch":{"description":"partially update status of the specified ReplicaSet","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"patchAppsV1NamespacedReplicaSetStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSet"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"apps","kind":"ReplicaSet","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ReplicaSet","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apps/v1/namespaces/{namespace}/statefulsets":{"get":{"description":"list or watch objects of kind StatefulSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"listAppsV1NamespacedStatefulSet","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSetList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"apps","kind":"StatefulSet","version":"v1"}},"post":{"description":"create a StatefulSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"createAppsV1NamespacedStatefulSet","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSet"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSet"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSet"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"apps","kind":"StatefulSet","version":"v1"}},"delete":{"description":"delete collection of StatefulSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"deleteAppsV1CollectionNamespacedStatefulSet","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"apps","kind":"StatefulSet","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}":{"get":{"description":"read the specified StatefulSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"readAppsV1NamespacedStatefulSet","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"apps","kind":"StatefulSet","version":"v1"}},"put":{"description":"replace the specified StatefulSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"replaceAppsV1NamespacedStatefulSet","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSet"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSet"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"apps","kind":"StatefulSet","version":"v1"}},"delete":{"description":"delete a StatefulSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"deleteAppsV1NamespacedStatefulSet","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"apps","kind":"StatefulSet","version":"v1"}},"patch":{"description":"partially update the specified StatefulSet","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"patchAppsV1NamespacedStatefulSet","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSet"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"apps","kind":"StatefulSet","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the StatefulSet","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}/scale":{"get":{"description":"read scale of the specified StatefulSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"readAppsV1NamespacedStatefulSetScale","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"Scale","version":"v1"}},"put":{"description":"replace scale of the specified StatefulSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"replaceAppsV1NamespacedStatefulSetScale","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"Scale","version":"v1"}},"patch":{"description":"partially update scale of the specified StatefulSet","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"patchAppsV1NamespacedStatefulSetScale","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.Scale"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"Scale","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Scale","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}/status":{"get":{"description":"read status of the specified StatefulSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"readAppsV1NamespacedStatefulSetStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"apps","kind":"StatefulSet","version":"v1"}},"put":{"description":"replace status of the specified StatefulSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"replaceAppsV1NamespacedStatefulSetStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSet"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSet"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"apps","kind":"StatefulSet","version":"v1"}},"patch":{"description":"partially update status of the specified StatefulSet","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["apps_v1"],"operationId":"patchAppsV1NamespacedStatefulSetStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSet"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSet"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"apps","kind":"StatefulSet","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the StatefulSet","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/apps/v1/replicasets":{"get":{"description":"list or watch objects of kind ReplicaSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"listAppsV1ReplicaSetForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSetList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"apps","kind":"ReplicaSet","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apps/v1/statefulsets":{"get":{"description":"list or watch objects of kind StatefulSet","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"listAppsV1StatefulSetForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSetList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"apps","kind":"StatefulSet","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apps/v1/watch/controllerrevisions":{"get":{"description":"watch individual changes to a list of ControllerRevision. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"watchAppsV1ControllerRevisionListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"apps","kind":"ControllerRevision","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apps/v1/watch/daemonsets":{"get":{"description":"watch individual changes to a list of DaemonSet. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"watchAppsV1DaemonSetListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"apps","kind":"DaemonSet","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apps/v1/watch/deployments":{"get":{"description":"watch individual changes to a list of Deployment. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"watchAppsV1DeploymentListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"apps","kind":"Deployment","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apps/v1/watch/namespaces/{namespace}/controllerrevisions":{"get":{"description":"watch individual changes to a list of ControllerRevision. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"watchAppsV1NamespacedControllerRevisionList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"apps","kind":"ControllerRevision","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apps/v1/watch/namespaces/{namespace}/controllerrevisions/{name}":{"get":{"description":"watch changes to an object of kind ControllerRevision. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"watchAppsV1NamespacedControllerRevision","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"apps","kind":"ControllerRevision","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the ControllerRevision","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apps/v1/watch/namespaces/{namespace}/daemonsets":{"get":{"description":"watch individual changes to a list of DaemonSet. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"watchAppsV1NamespacedDaemonSetList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"apps","kind":"DaemonSet","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apps/v1/watch/namespaces/{namespace}/daemonsets/{name}":{"get":{"description":"watch changes to an object of kind DaemonSet. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"watchAppsV1NamespacedDaemonSet","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"apps","kind":"DaemonSet","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the DaemonSet","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apps/v1/watch/namespaces/{namespace}/deployments":{"get":{"description":"watch individual changes to a list of Deployment. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"watchAppsV1NamespacedDeploymentList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"apps","kind":"Deployment","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apps/v1/watch/namespaces/{namespace}/deployments/{name}":{"get":{"description":"watch changes to an object of kind Deployment. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"watchAppsV1NamespacedDeployment","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"apps","kind":"Deployment","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the Deployment","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apps/v1/watch/namespaces/{namespace}/replicasets":{"get":{"description":"watch individual changes to a list of ReplicaSet. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"watchAppsV1NamespacedReplicaSetList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"apps","kind":"ReplicaSet","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apps/v1/watch/namespaces/{namespace}/replicasets/{name}":{"get":{"description":"watch changes to an object of kind ReplicaSet. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"watchAppsV1NamespacedReplicaSet","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"apps","kind":"ReplicaSet","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the ReplicaSet","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apps/v1/watch/namespaces/{namespace}/statefulsets":{"get":{"description":"watch individual changes to a list of StatefulSet. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"watchAppsV1NamespacedStatefulSetList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"apps","kind":"StatefulSet","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apps/v1/watch/namespaces/{namespace}/statefulsets/{name}":{"get":{"description":"watch changes to an object of kind StatefulSet. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"watchAppsV1NamespacedStatefulSet","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"apps","kind":"StatefulSet","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the StatefulSet","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apps/v1/watch/replicasets":{"get":{"description":"watch individual changes to a list of ReplicaSet. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"watchAppsV1ReplicaSetListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"apps","kind":"ReplicaSet","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/apps/v1/watch/statefulsets":{"get":{"description":"watch individual changes to a list of StatefulSet. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["apps_v1"],"operationId":"watchAppsV1StatefulSetListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"apps","kind":"StatefulSet","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/authentication.k8s.io/":{"get":{"description":"get information of a group","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["authentication"],"operationId":"getAuthenticationAPIGroup","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"}},"401":{"description":"Unauthorized"}}}},"/apis/authentication.k8s.io/v1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["authentication_v1"],"operationId":"getAuthenticationV1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/authentication.k8s.io/v1/selfsubjectreviews":{"post":{"description":"create a SelfSubjectReview","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["authentication_v1"],"operationId":"createAuthenticationV1SelfSubjectReview","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.authentication.v1.SelfSubjectReview"}}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.authentication.v1.SelfSubjectReview"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.authentication.v1.SelfSubjectReview"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.authentication.v1.SelfSubjectReview"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"authentication.k8s.io","kind":"SelfSubjectReview","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/authentication.k8s.io/v1/tokenreviews":{"post":{"description":"create a TokenReview","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["authentication_v1"],"operationId":"createAuthenticationV1TokenReview","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.authentication.v1.TokenReview"}}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.authentication.v1.TokenReview"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.authentication.v1.TokenReview"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.authentication.v1.TokenReview"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"authentication.k8s.io","kind":"TokenReview","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/authorization.k8s.io/":{"get":{"description":"get information of a group","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["authorization"],"operationId":"getAuthorizationAPIGroup","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"}},"401":{"description":"Unauthorized"}}}},"/apis/authorization.k8s.io/v1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["authorization_v1"],"operationId":"getAuthorizationV1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/authorization.k8s.io/v1/namespaces/{namespace}/localsubjectaccessreviews":{"post":{"description":"create a LocalSubjectAccessReview","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["authorization_v1"],"operationId":"createAuthorizationV1NamespacedLocalSubjectAccessReview","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.authorization.v1.LocalSubjectAccessReview"}}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.authorization.v1.LocalSubjectAccessReview"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.authorization.v1.LocalSubjectAccessReview"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.authorization.v1.LocalSubjectAccessReview"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"authorization.k8s.io","kind":"LocalSubjectAccessReview","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/authorization.k8s.io/v1/selfsubjectaccessreviews":{"post":{"description":"create a SelfSubjectAccessReview","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["authorization_v1"],"operationId":"createAuthorizationV1SelfSubjectAccessReview","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.authorization.v1.SelfSubjectAccessReview"}}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.authorization.v1.SelfSubjectAccessReview"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.authorization.v1.SelfSubjectAccessReview"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.authorization.v1.SelfSubjectAccessReview"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"authorization.k8s.io","kind":"SelfSubjectAccessReview","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/authorization.k8s.io/v1/selfsubjectrulesreviews":{"post":{"description":"create a SelfSubjectRulesReview","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["authorization_v1"],"operationId":"createAuthorizationV1SelfSubjectRulesReview","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.authorization.v1.SelfSubjectRulesReview"}}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.authorization.v1.SelfSubjectRulesReview"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.authorization.v1.SelfSubjectRulesReview"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.authorization.v1.SelfSubjectRulesReview"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"authorization.k8s.io","kind":"SelfSubjectRulesReview","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/authorization.k8s.io/v1/subjectaccessreviews":{"post":{"description":"create a SubjectAccessReview","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["authorization_v1"],"operationId":"createAuthorizationV1SubjectAccessReview","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.authorization.v1.SubjectAccessReview"}}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.authorization.v1.SubjectAccessReview"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.authorization.v1.SubjectAccessReview"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.authorization.v1.SubjectAccessReview"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"authorization.k8s.io","kind":"SubjectAccessReview","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/autoscaling/":{"get":{"description":"get information of a group","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling"],"operationId":"getAutoscalingAPIGroup","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"}},"401":{"description":"Unauthorized"}}}},"/apis/autoscaling/v1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling_v1"],"operationId":"getAutoscalingV1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/autoscaling/v1/horizontalpodautoscalers":{"get":{"description":"list or watch objects of kind HorizontalPodAutoscaler","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["autoscaling_v1"],"operationId":"listAutoscalingV1HorizontalPodAutoscalerForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/autoscaling/v1/namespaces/{namespace}/horizontalpodautoscalers":{"get":{"description":"list or watch objects of kind HorizontalPodAutoscaler","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["autoscaling_v1"],"operationId":"listAutoscalingV1NamespacedHorizontalPodAutoscaler","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v1"}},"post":{"description":"create a HorizontalPodAutoscaler","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling_v1"],"operationId":"createAutoscalingV1NamespacedHorizontalPodAutoscaler","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v1"}},"delete":{"description":"delete collection of HorizontalPodAutoscaler","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling_v1"],"operationId":"deleteAutoscalingV1CollectionNamespacedHorizontalPodAutoscaler","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/autoscaling/v1/namespaces/{namespace}/horizontalpodautoscalers/{name}":{"get":{"description":"read the specified HorizontalPodAutoscaler","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling_v1"],"operationId":"readAutoscalingV1NamespacedHorizontalPodAutoscaler","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v1"}},"put":{"description":"replace the specified HorizontalPodAutoscaler","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling_v1"],"operationId":"replaceAutoscalingV1NamespacedHorizontalPodAutoscaler","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v1"}},"delete":{"description":"delete a HorizontalPodAutoscaler","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling_v1"],"operationId":"deleteAutoscalingV1NamespacedHorizontalPodAutoscaler","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v1"}},"patch":{"description":"partially update the specified HorizontalPodAutoscaler","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling_v1"],"operationId":"patchAutoscalingV1NamespacedHorizontalPodAutoscaler","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the HorizontalPodAutoscaler","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/autoscaling/v1/namespaces/{namespace}/horizontalpodautoscalers/{name}/status":{"get":{"description":"read status of the specified HorizontalPodAutoscaler","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling_v1"],"operationId":"readAutoscalingV1NamespacedHorizontalPodAutoscalerStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v1"}},"put":{"description":"replace status of the specified HorizontalPodAutoscaler","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling_v1"],"operationId":"replaceAutoscalingV1NamespacedHorizontalPodAutoscalerStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v1"}},"patch":{"description":"partially update status of the specified HorizontalPodAutoscaler","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling_v1"],"operationId":"patchAutoscalingV1NamespacedHorizontalPodAutoscalerStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the HorizontalPodAutoscaler","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/autoscaling/v1/watch/horizontalpodautoscalers":{"get":{"description":"watch individual changes to a list of HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["autoscaling_v1"],"operationId":"watchAutoscalingV1HorizontalPodAutoscalerListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/autoscaling/v1/watch/namespaces/{namespace}/horizontalpodautoscalers":{"get":{"description":"watch individual changes to a list of HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["autoscaling_v1"],"operationId":"watchAutoscalingV1NamespacedHorizontalPodAutoscalerList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/autoscaling/v1/watch/namespaces/{namespace}/horizontalpodautoscalers/{name}":{"get":{"description":"watch changes to an object of kind HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["autoscaling_v1"],"operationId":"watchAutoscalingV1NamespacedHorizontalPodAutoscaler","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the HorizontalPodAutoscaler","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/autoscaling/v2/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling_v2"],"operationId":"getAutoscalingV2APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/autoscaling/v2/horizontalpodautoscalers":{"get":{"description":"list or watch objects of kind HorizontalPodAutoscaler","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["autoscaling_v2"],"operationId":"listAutoscalingV2HorizontalPodAutoscalerForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v2"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/autoscaling/v2/namespaces/{namespace}/horizontalpodautoscalers":{"get":{"description":"list or watch objects of kind HorizontalPodAutoscaler","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["autoscaling_v2"],"operationId":"listAutoscalingV2NamespacedHorizontalPodAutoscaler","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v2"}},"post":{"description":"create a HorizontalPodAutoscaler","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling_v2"],"operationId":"createAutoscalingV2NamespacedHorizontalPodAutoscaler","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v2"}},"delete":{"description":"delete collection of HorizontalPodAutoscaler","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling_v2"],"operationId":"deleteAutoscalingV2CollectionNamespacedHorizontalPodAutoscaler","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v2"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/autoscaling/v2/namespaces/{namespace}/horizontalpodautoscalers/{name}":{"get":{"description":"read the specified HorizontalPodAutoscaler","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling_v2"],"operationId":"readAutoscalingV2NamespacedHorizontalPodAutoscaler","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v2"}},"put":{"description":"replace the specified HorizontalPodAutoscaler","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling_v2"],"operationId":"replaceAutoscalingV2NamespacedHorizontalPodAutoscaler","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v2"}},"delete":{"description":"delete a HorizontalPodAutoscaler","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling_v2"],"operationId":"deleteAutoscalingV2NamespacedHorizontalPodAutoscaler","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v2"}},"patch":{"description":"partially update the specified HorizontalPodAutoscaler","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling_v2"],"operationId":"patchAutoscalingV2NamespacedHorizontalPodAutoscaler","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v2"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the HorizontalPodAutoscaler","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/autoscaling/v2/namespaces/{namespace}/horizontalpodautoscalers/{name}/status":{"get":{"description":"read status of the specified HorizontalPodAutoscaler","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling_v2"],"operationId":"readAutoscalingV2NamespacedHorizontalPodAutoscalerStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v2"}},"put":{"description":"replace status of the specified HorizontalPodAutoscaler","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling_v2"],"operationId":"replaceAutoscalingV2NamespacedHorizontalPodAutoscalerStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v2"}},"patch":{"description":"partially update status of the specified HorizontalPodAutoscaler","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["autoscaling_v2"],"operationId":"patchAutoscalingV2NamespacedHorizontalPodAutoscalerStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v2"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the HorizontalPodAutoscaler","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/autoscaling/v2/watch/horizontalpodautoscalers":{"get":{"description":"watch individual changes to a list of HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["autoscaling_v2"],"operationId":"watchAutoscalingV2HorizontalPodAutoscalerListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v2"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/autoscaling/v2/watch/namespaces/{namespace}/horizontalpodautoscalers":{"get":{"description":"watch individual changes to a list of HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["autoscaling_v2"],"operationId":"watchAutoscalingV2NamespacedHorizontalPodAutoscalerList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v2"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/autoscaling/v2/watch/namespaces/{namespace}/horizontalpodautoscalers/{name}":{"get":{"description":"watch changes to an object of kind HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["autoscaling_v2"],"operationId":"watchAutoscalingV2NamespacedHorizontalPodAutoscaler","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v2"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the HorizontalPodAutoscaler","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/batch/":{"get":{"description":"get information of a group","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["batch"],"operationId":"getBatchAPIGroup","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"}},"401":{"description":"Unauthorized"}}}},"/apis/batch/v1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["batch_v1"],"operationId":"getBatchV1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/batch/v1/cronjobs":{"get":{"description":"list or watch objects of kind CronJob","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["batch_v1"],"operationId":"listBatchV1CronJobForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.CronJobList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"batch","kind":"CronJob","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/batch/v1/jobs":{"get":{"description":"list or watch objects of kind Job","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["batch_v1"],"operationId":"listBatchV1JobForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.JobList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"batch","kind":"Job","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/batch/v1/namespaces/{namespace}/cronjobs":{"get":{"description":"list or watch objects of kind CronJob","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["batch_v1"],"operationId":"listBatchV1NamespacedCronJob","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.CronJobList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"batch","kind":"CronJob","version":"v1"}},"post":{"description":"create a CronJob","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["batch_v1"],"operationId":"createBatchV1NamespacedCronJob","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.CronJob"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.CronJob"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.CronJob"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.CronJob"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"batch","kind":"CronJob","version":"v1"}},"delete":{"description":"delete collection of CronJob","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["batch_v1"],"operationId":"deleteBatchV1CollectionNamespacedCronJob","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"batch","kind":"CronJob","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/batch/v1/namespaces/{namespace}/cronjobs/{name}":{"get":{"description":"read the specified CronJob","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["batch_v1"],"operationId":"readBatchV1NamespacedCronJob","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.CronJob"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"batch","kind":"CronJob","version":"v1"}},"put":{"description":"replace the specified CronJob","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["batch_v1"],"operationId":"replaceBatchV1NamespacedCronJob","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.CronJob"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.CronJob"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.CronJob"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"batch","kind":"CronJob","version":"v1"}},"delete":{"description":"delete a CronJob","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["batch_v1"],"operationId":"deleteBatchV1NamespacedCronJob","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"batch","kind":"CronJob","version":"v1"}},"patch":{"description":"partially update the specified CronJob","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["batch_v1"],"operationId":"patchBatchV1NamespacedCronJob","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.CronJob"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.CronJob"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"batch","kind":"CronJob","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the CronJob","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/batch/v1/namespaces/{namespace}/cronjobs/{name}/status":{"get":{"description":"read status of the specified CronJob","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["batch_v1"],"operationId":"readBatchV1NamespacedCronJobStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.CronJob"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"batch","kind":"CronJob","version":"v1"}},"put":{"description":"replace status of the specified CronJob","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["batch_v1"],"operationId":"replaceBatchV1NamespacedCronJobStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.CronJob"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.CronJob"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.CronJob"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"batch","kind":"CronJob","version":"v1"}},"patch":{"description":"partially update status of the specified CronJob","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["batch_v1"],"operationId":"patchBatchV1NamespacedCronJobStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.CronJob"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.CronJob"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"batch","kind":"CronJob","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the CronJob","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/batch/v1/namespaces/{namespace}/jobs":{"get":{"description":"list or watch objects of kind Job","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["batch_v1"],"operationId":"listBatchV1NamespacedJob","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.JobList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"batch","kind":"Job","version":"v1"}},"post":{"description":"create a Job","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["batch_v1"],"operationId":"createBatchV1NamespacedJob","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.Job"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.Job"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.Job"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.Job"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"batch","kind":"Job","version":"v1"}},"delete":{"description":"delete collection of Job","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["batch_v1"],"operationId":"deleteBatchV1CollectionNamespacedJob","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"batch","kind":"Job","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/batch/v1/namespaces/{namespace}/jobs/{name}":{"get":{"description":"read the specified Job","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["batch_v1"],"operationId":"readBatchV1NamespacedJob","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.Job"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"batch","kind":"Job","version":"v1"}},"put":{"description":"replace the specified Job","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["batch_v1"],"operationId":"replaceBatchV1NamespacedJob","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.Job"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.Job"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.Job"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"batch","kind":"Job","version":"v1"}},"delete":{"description":"delete a Job","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["batch_v1"],"operationId":"deleteBatchV1NamespacedJob","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"batch","kind":"Job","version":"v1"}},"patch":{"description":"partially update the specified Job","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["batch_v1"],"operationId":"patchBatchV1NamespacedJob","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.Job"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.Job"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"batch","kind":"Job","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Job","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/batch/v1/namespaces/{namespace}/jobs/{name}/status":{"get":{"description":"read status of the specified Job","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["batch_v1"],"operationId":"readBatchV1NamespacedJobStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.Job"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"batch","kind":"Job","version":"v1"}},"put":{"description":"replace status of the specified Job","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["batch_v1"],"operationId":"replaceBatchV1NamespacedJobStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.Job"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.Job"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.Job"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"batch","kind":"Job","version":"v1"}},"patch":{"description":"partially update status of the specified Job","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["batch_v1"],"operationId":"patchBatchV1NamespacedJobStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.Job"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.batch.v1.Job"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"batch","kind":"Job","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Job","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/batch/v1/watch/cronjobs":{"get":{"description":"watch individual changes to a list of CronJob. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["batch_v1"],"operationId":"watchBatchV1CronJobListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"batch","kind":"CronJob","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/batch/v1/watch/jobs":{"get":{"description":"watch individual changes to a list of Job. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["batch_v1"],"operationId":"watchBatchV1JobListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"batch","kind":"Job","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/batch/v1/watch/namespaces/{namespace}/cronjobs":{"get":{"description":"watch individual changes to a list of CronJob. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["batch_v1"],"operationId":"watchBatchV1NamespacedCronJobList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"batch","kind":"CronJob","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/batch/v1/watch/namespaces/{namespace}/cronjobs/{name}":{"get":{"description":"watch changes to an object of kind CronJob. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["batch_v1"],"operationId":"watchBatchV1NamespacedCronJob","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"batch","kind":"CronJob","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the CronJob","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/batch/v1/watch/namespaces/{namespace}/jobs":{"get":{"description":"watch individual changes to a list of Job. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["batch_v1"],"operationId":"watchBatchV1NamespacedJobList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"batch","kind":"Job","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/batch/v1/watch/namespaces/{namespace}/jobs/{name}":{"get":{"description":"watch changes to an object of kind Job. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["batch_v1"],"operationId":"watchBatchV1NamespacedJob","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"batch","kind":"Job","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the Job","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/certificates.k8s.io/":{"get":{"description":"get information of a group","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["certificates"],"operationId":"getCertificatesAPIGroup","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"}},"401":{"description":"Unauthorized"}}}},"/apis/certificates.k8s.io/v1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["certificates_v1"],"operationId":"getCertificatesV1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/certificates.k8s.io/v1/certificatesigningrequests":{"get":{"description":"list or watch objects of kind CertificateSigningRequest","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["certificates_v1"],"operationId":"listCertificatesV1CertificateSigningRequest","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"certificates.k8s.io","kind":"CertificateSigningRequest","version":"v1"}},"post":{"description":"create a CertificateSigningRequest","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["certificates_v1"],"operationId":"createCertificatesV1CertificateSigningRequest","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"certificates.k8s.io","kind":"CertificateSigningRequest","version":"v1"}},"delete":{"description":"delete collection of CertificateSigningRequest","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["certificates_v1"],"operationId":"deleteCertificatesV1CollectionCertificateSigningRequest","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"certificates.k8s.io","kind":"CertificateSigningRequest","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/certificates.k8s.io/v1/certificatesigningrequests/{name}":{"get":{"description":"read the specified CertificateSigningRequest","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["certificates_v1"],"operationId":"readCertificatesV1CertificateSigningRequest","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"certificates.k8s.io","kind":"CertificateSigningRequest","version":"v1"}},"put":{"description":"replace the specified CertificateSigningRequest","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["certificates_v1"],"operationId":"replaceCertificatesV1CertificateSigningRequest","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"certificates.k8s.io","kind":"CertificateSigningRequest","version":"v1"}},"delete":{"description":"delete a CertificateSigningRequest","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["certificates_v1"],"operationId":"deleteCertificatesV1CertificateSigningRequest","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"certificates.k8s.io","kind":"CertificateSigningRequest","version":"v1"}},"patch":{"description":"partially update the specified CertificateSigningRequest","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["certificates_v1"],"operationId":"patchCertificatesV1CertificateSigningRequest","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"certificates.k8s.io","kind":"CertificateSigningRequest","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the CertificateSigningRequest","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/approval":{"get":{"description":"read approval of the specified CertificateSigningRequest","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["certificates_v1"],"operationId":"readCertificatesV1CertificateSigningRequestApproval","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"certificates.k8s.io","kind":"CertificateSigningRequest","version":"v1"}},"put":{"description":"replace approval of the specified CertificateSigningRequest","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["certificates_v1"],"operationId":"replaceCertificatesV1CertificateSigningRequestApproval","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"certificates.k8s.io","kind":"CertificateSigningRequest","version":"v1"}},"patch":{"description":"partially update approval of the specified CertificateSigningRequest","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["certificates_v1"],"operationId":"patchCertificatesV1CertificateSigningRequestApproval","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"certificates.k8s.io","kind":"CertificateSigningRequest","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the CertificateSigningRequest","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/status":{"get":{"description":"read status of the specified CertificateSigningRequest","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["certificates_v1"],"operationId":"readCertificatesV1CertificateSigningRequestStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"certificates.k8s.io","kind":"CertificateSigningRequest","version":"v1"}},"put":{"description":"replace status of the specified CertificateSigningRequest","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["certificates_v1"],"operationId":"replaceCertificatesV1CertificateSigningRequestStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"certificates.k8s.io","kind":"CertificateSigningRequest","version":"v1"}},"patch":{"description":"partially update status of the specified CertificateSigningRequest","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["certificates_v1"],"operationId":"patchCertificatesV1CertificateSigningRequestStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"certificates.k8s.io","kind":"CertificateSigningRequest","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the CertificateSigningRequest","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/certificates.k8s.io/v1/watch/certificatesigningrequests":{"get":{"description":"watch individual changes to a list of CertificateSigningRequest. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["certificates_v1"],"operationId":"watchCertificatesV1CertificateSigningRequestList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"certificates.k8s.io","kind":"CertificateSigningRequest","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/certificates.k8s.io/v1/watch/certificatesigningrequests/{name}":{"get":{"description":"watch changes to an object of kind CertificateSigningRequest. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["certificates_v1"],"operationId":"watchCertificatesV1CertificateSigningRequest","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"certificates.k8s.io","kind":"CertificateSigningRequest","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the CertificateSigningRequest","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/coordination.k8s.io/":{"get":{"description":"get information of a group","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["coordination"],"operationId":"getCoordinationAPIGroup","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"}},"401":{"description":"Unauthorized"}}}},"/apis/coordination.k8s.io/v1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["coordination_v1"],"operationId":"getCoordinationV1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/coordination.k8s.io/v1/leases":{"get":{"description":"list or watch objects of kind Lease","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["coordination_v1"],"operationId":"listCoordinationV1LeaseForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.coordination.v1.LeaseList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"coordination.k8s.io","kind":"Lease","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/coordination.k8s.io/v1/namespaces/{namespace}/leases":{"get":{"description":"list or watch objects of kind Lease","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["coordination_v1"],"operationId":"listCoordinationV1NamespacedLease","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.coordination.v1.LeaseList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"coordination.k8s.io","kind":"Lease","version":"v1"}},"post":{"description":"create a Lease","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["coordination_v1"],"operationId":"createCoordinationV1NamespacedLease","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.coordination.v1.Lease"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.coordination.v1.Lease"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.coordination.v1.Lease"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.coordination.v1.Lease"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"coordination.k8s.io","kind":"Lease","version":"v1"}},"delete":{"description":"delete collection of Lease","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["coordination_v1"],"operationId":"deleteCoordinationV1CollectionNamespacedLease","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"coordination.k8s.io","kind":"Lease","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}":{"get":{"description":"read the specified Lease","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["coordination_v1"],"operationId":"readCoordinationV1NamespacedLease","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.coordination.v1.Lease"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"coordination.k8s.io","kind":"Lease","version":"v1"}},"put":{"description":"replace the specified Lease","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["coordination_v1"],"operationId":"replaceCoordinationV1NamespacedLease","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.coordination.v1.Lease"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.coordination.v1.Lease"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.coordination.v1.Lease"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"coordination.k8s.io","kind":"Lease","version":"v1"}},"delete":{"description":"delete a Lease","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["coordination_v1"],"operationId":"deleteCoordinationV1NamespacedLease","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"coordination.k8s.io","kind":"Lease","version":"v1"}},"patch":{"description":"partially update the specified Lease","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["coordination_v1"],"operationId":"patchCoordinationV1NamespacedLease","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.coordination.v1.Lease"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.coordination.v1.Lease"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"coordination.k8s.io","kind":"Lease","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Lease","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/coordination.k8s.io/v1/watch/leases":{"get":{"description":"watch individual changes to a list of Lease. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["coordination_v1"],"operationId":"watchCoordinationV1LeaseListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"coordination.k8s.io","kind":"Lease","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/coordination.k8s.io/v1/watch/namespaces/{namespace}/leases":{"get":{"description":"watch individual changes to a list of Lease. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["coordination_v1"],"operationId":"watchCoordinationV1NamespacedLeaseList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"coordination.k8s.io","kind":"Lease","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/coordination.k8s.io/v1/watch/namespaces/{namespace}/leases/{name}":{"get":{"description":"watch changes to an object of kind Lease. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["coordination_v1"],"operationId":"watchCoordinationV1NamespacedLease","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"coordination.k8s.io","kind":"Lease","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the Lease","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/discovery.k8s.io/":{"get":{"description":"get information of a group","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["discovery"],"operationId":"getDiscoveryAPIGroup","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"}},"401":{"description":"Unauthorized"}}}},"/apis/discovery.k8s.io/v1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["discovery_v1"],"operationId":"getDiscoveryV1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/discovery.k8s.io/v1/endpointslices":{"get":{"description":"list or watch objects of kind EndpointSlice","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["discovery_v1"],"operationId":"listDiscoveryV1EndpointSliceForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointSliceList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"discovery.k8s.io","kind":"EndpointSlice","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/discovery.k8s.io/v1/namespaces/{namespace}/endpointslices":{"get":{"description":"list or watch objects of kind EndpointSlice","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["discovery_v1"],"operationId":"listDiscoveryV1NamespacedEndpointSlice","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointSliceList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"discovery.k8s.io","kind":"EndpointSlice","version":"v1"}},"post":{"description":"create an EndpointSlice","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["discovery_v1"],"operationId":"createDiscoveryV1NamespacedEndpointSlice","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointSlice"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointSlice"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointSlice"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointSlice"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"discovery.k8s.io","kind":"EndpointSlice","version":"v1"}},"delete":{"description":"delete collection of EndpointSlice","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["discovery_v1"],"operationId":"deleteDiscoveryV1CollectionNamespacedEndpointSlice","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"discovery.k8s.io","kind":"EndpointSlice","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/discovery.k8s.io/v1/namespaces/{namespace}/endpointslices/{name}":{"get":{"description":"read the specified EndpointSlice","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["discovery_v1"],"operationId":"readDiscoveryV1NamespacedEndpointSlice","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointSlice"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"discovery.k8s.io","kind":"EndpointSlice","version":"v1"}},"put":{"description":"replace the specified EndpointSlice","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["discovery_v1"],"operationId":"replaceDiscoveryV1NamespacedEndpointSlice","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointSlice"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointSlice"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointSlice"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"discovery.k8s.io","kind":"EndpointSlice","version":"v1"}},"delete":{"description":"delete an EndpointSlice","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["discovery_v1"],"operationId":"deleteDiscoveryV1NamespacedEndpointSlice","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"discovery.k8s.io","kind":"EndpointSlice","version":"v1"}},"patch":{"description":"partially update the specified EndpointSlice","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["discovery_v1"],"operationId":"patchDiscoveryV1NamespacedEndpointSlice","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointSlice"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointSlice"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"discovery.k8s.io","kind":"EndpointSlice","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the EndpointSlice","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/discovery.k8s.io/v1/watch/endpointslices":{"get":{"description":"watch individual changes to a list of EndpointSlice. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["discovery_v1"],"operationId":"watchDiscoveryV1EndpointSliceListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"discovery.k8s.io","kind":"EndpointSlice","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/discovery.k8s.io/v1/watch/namespaces/{namespace}/endpointslices":{"get":{"description":"watch individual changes to a list of EndpointSlice. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["discovery_v1"],"operationId":"watchDiscoveryV1NamespacedEndpointSliceList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"discovery.k8s.io","kind":"EndpointSlice","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/discovery.k8s.io/v1/watch/namespaces/{namespace}/endpointslices/{name}":{"get":{"description":"watch changes to an object of kind EndpointSlice. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["discovery_v1"],"operationId":"watchDiscoveryV1NamespacedEndpointSlice","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"discovery.k8s.io","kind":"EndpointSlice","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the EndpointSlice","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/events.k8s.io/":{"get":{"description":"get information of a group","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["events"],"operationId":"getEventsAPIGroup","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"}},"401":{"description":"Unauthorized"}}}},"/apis/events.k8s.io/v1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["events_v1"],"operationId":"getEventsV1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/events.k8s.io/v1/events":{"get":{"description":"list or watch objects of kind Event","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["events_v1"],"operationId":"listEventsV1EventForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.events.v1.EventList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"events.k8s.io","kind":"Event","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/events.k8s.io/v1/namespaces/{namespace}/events":{"get":{"description":"list or watch objects of kind Event","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["events_v1"],"operationId":"listEventsV1NamespacedEvent","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.events.v1.EventList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"events.k8s.io","kind":"Event","version":"v1"}},"post":{"description":"create an Event","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["events_v1"],"operationId":"createEventsV1NamespacedEvent","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.events.v1.Event"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.events.v1.Event"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.events.v1.Event"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.events.v1.Event"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"events.k8s.io","kind":"Event","version":"v1"}},"delete":{"description":"delete collection of Event","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["events_v1"],"operationId":"deleteEventsV1CollectionNamespacedEvent","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"events.k8s.io","kind":"Event","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/events.k8s.io/v1/namespaces/{namespace}/events/{name}":{"get":{"description":"read the specified Event","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["events_v1"],"operationId":"readEventsV1NamespacedEvent","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.events.v1.Event"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"events.k8s.io","kind":"Event","version":"v1"}},"put":{"description":"replace the specified Event","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["events_v1"],"operationId":"replaceEventsV1NamespacedEvent","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.events.v1.Event"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.events.v1.Event"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.events.v1.Event"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"events.k8s.io","kind":"Event","version":"v1"}},"delete":{"description":"delete an Event","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["events_v1"],"operationId":"deleteEventsV1NamespacedEvent","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"events.k8s.io","kind":"Event","version":"v1"}},"patch":{"description":"partially update the specified Event","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["events_v1"],"operationId":"patchEventsV1NamespacedEvent","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.events.v1.Event"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.events.v1.Event"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"events.k8s.io","kind":"Event","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Event","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/events.k8s.io/v1/watch/events":{"get":{"description":"watch individual changes to a list of Event. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["events_v1"],"operationId":"watchEventsV1EventListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"events.k8s.io","kind":"Event","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/events.k8s.io/v1/watch/namespaces/{namespace}/events":{"get":{"description":"watch individual changes to a list of Event. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["events_v1"],"operationId":"watchEventsV1NamespacedEventList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"events.k8s.io","kind":"Event","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/events.k8s.io/v1/watch/namespaces/{namespace}/events/{name}":{"get":{"description":"watch changes to an object of kind Event. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["events_v1"],"operationId":"watchEventsV1NamespacedEvent","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"events.k8s.io","kind":"Event","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the Event","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/flowcontrol.apiserver.k8s.io/":{"get":{"description":"get information of a group","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver"],"operationId":"getFlowcontrolApiserverAPIGroup","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"}},"401":{"description":"Unauthorized"}}}},"/apis/flowcontrol.apiserver.k8s.io/v1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"getFlowcontrolApiserverV1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas":{"get":{"description":"list or watch objects of kind FlowSchema","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"listFlowcontrolApiserverV1FlowSchema","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchemaList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1"}},"post":{"description":"create a FlowSchema","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"createFlowcontrolApiserverV1FlowSchema","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchema"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchema"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchema"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchema"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1"}},"delete":{"description":"delete collection of FlowSchema","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"deleteFlowcontrolApiserverV1CollectionFlowSchema","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/{name}":{"get":{"description":"read the specified FlowSchema","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"readFlowcontrolApiserverV1FlowSchema","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchema"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1"}},"put":{"description":"replace the specified FlowSchema","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"replaceFlowcontrolApiserverV1FlowSchema","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchema"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchema"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchema"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1"}},"delete":{"description":"delete a FlowSchema","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"deleteFlowcontrolApiserverV1FlowSchema","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1"}},"patch":{"description":"partially update the specified FlowSchema","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"patchFlowcontrolApiserverV1FlowSchema","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchema"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchema"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the FlowSchema","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/flowcontrol.apiserver.k8s.io/v1/flowschemas/{name}/status":{"get":{"description":"read status of the specified FlowSchema","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"readFlowcontrolApiserverV1FlowSchemaStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchema"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1"}},"put":{"description":"replace status of the specified FlowSchema","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"replaceFlowcontrolApiserverV1FlowSchemaStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchema"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchema"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchema"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1"}},"patch":{"description":"partially update status of the specified FlowSchema","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"patchFlowcontrolApiserverV1FlowSchemaStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchema"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchema"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the FlowSchema","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/flowcontrol.apiserver.k8s.io/v1/prioritylevelconfigurations":{"get":{"description":"list or watch objects of kind PriorityLevelConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"listFlowcontrolApiserverV1PriorityLevelConfiguration","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1"}},"post":{"description":"create a PriorityLevelConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"createFlowcontrolApiserverV1PriorityLevelConfiguration","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1"}},"delete":{"description":"delete collection of PriorityLevelConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"deleteFlowcontrolApiserverV1CollectionPriorityLevelConfiguration","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/flowcontrol.apiserver.k8s.io/v1/prioritylevelconfigurations/{name}":{"get":{"description":"read the specified PriorityLevelConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"readFlowcontrolApiserverV1PriorityLevelConfiguration","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1"}},"put":{"description":"replace the specified PriorityLevelConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"replaceFlowcontrolApiserverV1PriorityLevelConfiguration","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1"}},"delete":{"description":"delete a PriorityLevelConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"deleteFlowcontrolApiserverV1PriorityLevelConfiguration","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1"}},"patch":{"description":"partially update the specified PriorityLevelConfiguration","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"patchFlowcontrolApiserverV1PriorityLevelConfiguration","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the PriorityLevelConfiguration","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/flowcontrol.apiserver.k8s.io/v1/prioritylevelconfigurations/{name}/status":{"get":{"description":"read status of the specified PriorityLevelConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"readFlowcontrolApiserverV1PriorityLevelConfigurationStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1"}},"put":{"description":"replace status of the specified PriorityLevelConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"replaceFlowcontrolApiserverV1PriorityLevelConfigurationStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1"}},"patch":{"description":"partially update status of the specified PriorityLevelConfiguration","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"patchFlowcontrolApiserverV1PriorityLevelConfigurationStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the PriorityLevelConfiguration","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/flowcontrol.apiserver.k8s.io/v1/watch/flowschemas":{"get":{"description":"watch individual changes to a list of FlowSchema. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"watchFlowcontrolApiserverV1FlowSchemaList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/flowcontrol.apiserver.k8s.io/v1/watch/flowschemas/{name}":{"get":{"description":"watch changes to an object of kind FlowSchema. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"watchFlowcontrolApiserverV1FlowSchema","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the FlowSchema","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/flowcontrol.apiserver.k8s.io/v1/watch/prioritylevelconfigurations":{"get":{"description":"watch individual changes to a list of PriorityLevelConfiguration. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"watchFlowcontrolApiserverV1PriorityLevelConfigurationList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/flowcontrol.apiserver.k8s.io/v1/watch/prioritylevelconfigurations/{name}":{"get":{"description":"watch changes to an object of kind PriorityLevelConfiguration. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["flowcontrolApiserver_v1"],"operationId":"watchFlowcontrolApiserverV1PriorityLevelConfiguration","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the PriorityLevelConfiguration","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/flowcontrol.apiserver.k8s.io/v1beta3/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"getFlowcontrolApiserverV1beta3APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/flowcontrol.apiserver.k8s.io/v1beta3/flowschemas":{"get":{"description":"list or watch objects of kind FlowSchema","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"listFlowcontrolApiserverV1beta3FlowSchema","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1beta3"}},"post":{"description":"create a FlowSchema","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"createFlowcontrolApiserverV1beta3FlowSchema","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1beta3"}},"delete":{"description":"delete collection of FlowSchema","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"deleteFlowcontrolApiserverV1beta3CollectionFlowSchema","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1beta3"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/flowcontrol.apiserver.k8s.io/v1beta3/flowschemas/{name}":{"get":{"description":"read the specified FlowSchema","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"readFlowcontrolApiserverV1beta3FlowSchema","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1beta3"}},"put":{"description":"replace the specified FlowSchema","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"replaceFlowcontrolApiserverV1beta3FlowSchema","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1beta3"}},"delete":{"description":"delete a FlowSchema","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"deleteFlowcontrolApiserverV1beta3FlowSchema","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1beta3"}},"patch":{"description":"partially update the specified FlowSchema","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"patchFlowcontrolApiserverV1beta3FlowSchema","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1beta3"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the FlowSchema","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/flowcontrol.apiserver.k8s.io/v1beta3/flowschemas/{name}/status":{"get":{"description":"read status of the specified FlowSchema","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"readFlowcontrolApiserverV1beta3FlowSchemaStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1beta3"}},"put":{"description":"replace status of the specified FlowSchema","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"replaceFlowcontrolApiserverV1beta3FlowSchemaStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1beta3"}},"patch":{"description":"partially update status of the specified FlowSchema","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"patchFlowcontrolApiserverV1beta3FlowSchemaStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1beta3"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the FlowSchema","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/flowcontrol.apiserver.k8s.io/v1beta3/prioritylevelconfigurations":{"get":{"description":"list or watch objects of kind PriorityLevelConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"listFlowcontrolApiserverV1beta3PriorityLevelConfiguration","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1beta3"}},"post":{"description":"create a PriorityLevelConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"createFlowcontrolApiserverV1beta3PriorityLevelConfiguration","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1beta3"}},"delete":{"description":"delete collection of PriorityLevelConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"deleteFlowcontrolApiserverV1beta3CollectionPriorityLevelConfiguration","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1beta3"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/flowcontrol.apiserver.k8s.io/v1beta3/prioritylevelconfigurations/{name}":{"get":{"description":"read the specified PriorityLevelConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"readFlowcontrolApiserverV1beta3PriorityLevelConfiguration","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1beta3"}},"put":{"description":"replace the specified PriorityLevelConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"replaceFlowcontrolApiserverV1beta3PriorityLevelConfiguration","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1beta3"}},"delete":{"description":"delete a PriorityLevelConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"deleteFlowcontrolApiserverV1beta3PriorityLevelConfiguration","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1beta3"}},"patch":{"description":"partially update the specified PriorityLevelConfiguration","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"patchFlowcontrolApiserverV1beta3PriorityLevelConfiguration","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1beta3"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the PriorityLevelConfiguration","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/flowcontrol.apiserver.k8s.io/v1beta3/prioritylevelconfigurations/{name}/status":{"get":{"description":"read status of the specified PriorityLevelConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"readFlowcontrolApiserverV1beta3PriorityLevelConfigurationStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1beta3"}},"put":{"description":"replace status of the specified PriorityLevelConfiguration","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"replaceFlowcontrolApiserverV1beta3PriorityLevelConfigurationStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1beta3"}},"patch":{"description":"partially update status of the specified PriorityLevelConfiguration","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"patchFlowcontrolApiserverV1beta3PriorityLevelConfigurationStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1beta3"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the PriorityLevelConfiguration","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/flowcontrol.apiserver.k8s.io/v1beta3/watch/flowschemas":{"get":{"description":"watch individual changes to a list of FlowSchema. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"watchFlowcontrolApiserverV1beta3FlowSchemaList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1beta3"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/flowcontrol.apiserver.k8s.io/v1beta3/watch/flowschemas/{name}":{"get":{"description":"watch changes to an object of kind FlowSchema. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"watchFlowcontrolApiserverV1beta3FlowSchema","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1beta3"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the FlowSchema","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/flowcontrol.apiserver.k8s.io/v1beta3/watch/prioritylevelconfigurations":{"get":{"description":"watch individual changes to a list of PriorityLevelConfiguration. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"watchFlowcontrolApiserverV1beta3PriorityLevelConfigurationList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1beta3"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/flowcontrol.apiserver.k8s.io/v1beta3/watch/prioritylevelconfigurations/{name}":{"get":{"description":"watch changes to an object of kind PriorityLevelConfiguration. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["flowcontrolApiserver_v1beta3"],"operationId":"watchFlowcontrolApiserverV1beta3PriorityLevelConfiguration","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1beta3"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the PriorityLevelConfiguration","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/kyverno.io/v1/clusterpolicies":{"get":{"description":"list objects of kind ClusterPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"listKyvernoIoV1ClusterPolicy","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1.ClusterPolicyList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterPolicy","version":"v1"}},"post":{"description":"create a ClusterPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"createKyvernoIoV1ClusterPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v1.ClusterPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1.ClusterPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v1.ClusterPolicy"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.v1.ClusterPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterPolicy","version":"v1"}},"delete":{"description":"delete collection of ClusterPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"deleteKyvernoIoV1CollectionClusterPolicy","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterPolicy","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v1/clusterpolicies/{name}":{"get":{"description":"read the specified ClusterPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"readKyvernoIoV1ClusterPolicy","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1.ClusterPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterPolicy","version":"v1"}},"put":{"description":"replace the specified ClusterPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"replaceKyvernoIoV1ClusterPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v1.ClusterPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1.ClusterPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v1.ClusterPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterPolicy","version":"v1"}},"delete":{"description":"delete a ClusterPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"deleteKyvernoIoV1ClusterPolicy","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterPolicy","version":"v1"}},"patch":{"description":"partially update the specified ClusterPolicy","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"patchKyvernoIoV1ClusterPolicy","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1.ClusterPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterPolicy","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ClusterPolicy","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v1/clusterpolicies/{name}/status":{"get":{"description":"read status of the specified ClusterPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"readKyvernoIoV1ClusterPolicyStatus","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1.ClusterPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterPolicy","version":"v1"}},"put":{"description":"replace status of the specified ClusterPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"replaceKyvernoIoV1ClusterPolicyStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v1.ClusterPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1.ClusterPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v1.ClusterPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterPolicy","version":"v1"}},"patch":{"description":"partially update status of the specified ClusterPolicy","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"patchKyvernoIoV1ClusterPolicyStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1.ClusterPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterPolicy","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ClusterPolicy","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v1/namespaces/{namespace}/policies":{"get":{"description":"list objects of kind Policy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"listKyvernoIoV1NamespacedPolicy","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1.PolicyList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v1"}},"post":{"description":"create a Policy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"createKyvernoIoV1NamespacedPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v1.Policy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1.Policy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v1.Policy"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.v1.Policy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v1"}},"delete":{"description":"delete collection of Policy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"deleteKyvernoIoV1CollectionNamespacedPolicy","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v1/namespaces/{namespace}/policies/{name}":{"get":{"description":"read the specified Policy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"readKyvernoIoV1NamespacedPolicy","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1.Policy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v1"}},"put":{"description":"replace the specified Policy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"replaceKyvernoIoV1NamespacedPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v1.Policy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1.Policy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v1.Policy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v1"}},"delete":{"description":"delete a Policy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"deleteKyvernoIoV1NamespacedPolicy","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v1"}},"patch":{"description":"partially update the specified Policy","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"patchKyvernoIoV1NamespacedPolicy","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1.Policy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Policy","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v1/namespaces/{namespace}/policies/{name}/status":{"get":{"description":"read status of the specified Policy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"readKyvernoIoV1NamespacedPolicyStatus","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1.Policy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v1"}},"put":{"description":"replace status of the specified Policy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"replaceKyvernoIoV1NamespacedPolicyStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v1.Policy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1.Policy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v1.Policy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v1"}},"patch":{"description":"partially update status of the specified Policy","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"patchKyvernoIoV1NamespacedPolicyStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1.Policy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Policy","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v1/policies":{"get":{"description":"list objects of kind Policy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1"],"operationId":"listKyvernoIoV1PolicyForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1.PolicyList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/kyverno.io/v1alpha2/admissionreports":{"get":{"description":"list objects of kind AdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"listKyvernoIoV1alpha2AdmissionReportForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.AdmissionReportList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"AdmissionReport","version":"v1alpha2"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/kyverno.io/v1alpha2/backgroundscanreports":{"get":{"description":"list objects of kind BackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"listKyvernoIoV1alpha2BackgroundScanReportForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.BackgroundScanReportList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"BackgroundScanReport","version":"v1alpha2"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/kyverno.io/v1alpha2/clusteradmissionreports":{"get":{"description":"list objects of kind ClusterAdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"listKyvernoIoV1alpha2ClusterAdmissionReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterAdmissionReportList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterAdmissionReport","version":"v1alpha2"}},"post":{"description":"create a ClusterAdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"createKyvernoIoV1alpha2ClusterAdmissionReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterAdmissionReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterAdmissionReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterAdmissionReport"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterAdmissionReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterAdmissionReport","version":"v1alpha2"}},"delete":{"description":"delete collection of ClusterAdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"deleteKyvernoIoV1alpha2CollectionClusterAdmissionReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterAdmissionReport","version":"v1alpha2"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v1alpha2/clusteradmissionreports/{name}":{"get":{"description":"read the specified ClusterAdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"readKyvernoIoV1alpha2ClusterAdmissionReport","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterAdmissionReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterAdmissionReport","version":"v1alpha2"}},"put":{"description":"replace the specified ClusterAdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"replaceKyvernoIoV1alpha2ClusterAdmissionReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterAdmissionReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterAdmissionReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterAdmissionReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterAdmissionReport","version":"v1alpha2"}},"delete":{"description":"delete a ClusterAdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"deleteKyvernoIoV1alpha2ClusterAdmissionReport","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterAdmissionReport","version":"v1alpha2"}},"patch":{"description":"partially update the specified ClusterAdmissionReport","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"patchKyvernoIoV1alpha2ClusterAdmissionReport","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterAdmissionReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterAdmissionReport","version":"v1alpha2"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ClusterAdmissionReport","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v1alpha2/clusterbackgroundscanreports":{"get":{"description":"list objects of kind ClusterBackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"listKyvernoIoV1alpha2ClusterBackgroundScanReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterBackgroundScanReportList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterBackgroundScanReport","version":"v1alpha2"}},"post":{"description":"create a ClusterBackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"createKyvernoIoV1alpha2ClusterBackgroundScanReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterBackgroundScanReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterBackgroundScanReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterBackgroundScanReport"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterBackgroundScanReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterBackgroundScanReport","version":"v1alpha2"}},"delete":{"description":"delete collection of ClusterBackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"deleteKyvernoIoV1alpha2CollectionClusterBackgroundScanReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterBackgroundScanReport","version":"v1alpha2"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v1alpha2/clusterbackgroundscanreports/{name}":{"get":{"description":"read the specified ClusterBackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"readKyvernoIoV1alpha2ClusterBackgroundScanReport","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterBackgroundScanReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterBackgroundScanReport","version":"v1alpha2"}},"put":{"description":"replace the specified ClusterBackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"replaceKyvernoIoV1alpha2ClusterBackgroundScanReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterBackgroundScanReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterBackgroundScanReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterBackgroundScanReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterBackgroundScanReport","version":"v1alpha2"}},"delete":{"description":"delete a ClusterBackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"deleteKyvernoIoV1alpha2ClusterBackgroundScanReport","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterBackgroundScanReport","version":"v1alpha2"}},"patch":{"description":"partially update the specified ClusterBackgroundScanReport","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"patchKyvernoIoV1alpha2ClusterBackgroundScanReport","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterBackgroundScanReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterBackgroundScanReport","version":"v1alpha2"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ClusterBackgroundScanReport","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v1alpha2/namespaces/{namespace}/admissionreports":{"get":{"description":"list objects of kind AdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"listKyvernoIoV1alpha2NamespacedAdmissionReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.AdmissionReportList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"AdmissionReport","version":"v1alpha2"}},"post":{"description":"create an AdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"createKyvernoIoV1alpha2NamespacedAdmissionReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.AdmissionReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.AdmissionReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.AdmissionReport"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.AdmissionReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"AdmissionReport","version":"v1alpha2"}},"delete":{"description":"delete collection of AdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"deleteKyvernoIoV1alpha2CollectionNamespacedAdmissionReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"AdmissionReport","version":"v1alpha2"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v1alpha2/namespaces/{namespace}/admissionreports/{name}":{"get":{"description":"read the specified AdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"readKyvernoIoV1alpha2NamespacedAdmissionReport","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.AdmissionReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"AdmissionReport","version":"v1alpha2"}},"put":{"description":"replace the specified AdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"replaceKyvernoIoV1alpha2NamespacedAdmissionReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.AdmissionReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.AdmissionReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.AdmissionReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"AdmissionReport","version":"v1alpha2"}},"delete":{"description":"delete an AdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"deleteKyvernoIoV1alpha2NamespacedAdmissionReport","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"AdmissionReport","version":"v1alpha2"}},"patch":{"description":"partially update the specified AdmissionReport","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"patchKyvernoIoV1alpha2NamespacedAdmissionReport","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.AdmissionReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"AdmissionReport","version":"v1alpha2"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the AdmissionReport","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v1alpha2/namespaces/{namespace}/backgroundscanreports":{"get":{"description":"list objects of kind BackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"listKyvernoIoV1alpha2NamespacedBackgroundScanReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.BackgroundScanReportList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"BackgroundScanReport","version":"v1alpha2"}},"post":{"description":"create a BackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"createKyvernoIoV1alpha2NamespacedBackgroundScanReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.BackgroundScanReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.BackgroundScanReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.BackgroundScanReport"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.BackgroundScanReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"BackgroundScanReport","version":"v1alpha2"}},"delete":{"description":"delete collection of BackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"deleteKyvernoIoV1alpha2CollectionNamespacedBackgroundScanReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"BackgroundScanReport","version":"v1alpha2"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v1alpha2/namespaces/{namespace}/backgroundscanreports/{name}":{"get":{"description":"read the specified BackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"readKyvernoIoV1alpha2NamespacedBackgroundScanReport","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.BackgroundScanReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"BackgroundScanReport","version":"v1alpha2"}},"put":{"description":"replace the specified BackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"replaceKyvernoIoV1alpha2NamespacedBackgroundScanReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.BackgroundScanReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.BackgroundScanReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.BackgroundScanReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"BackgroundScanReport","version":"v1alpha2"}},"delete":{"description":"delete a BackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"deleteKyvernoIoV1alpha2NamespacedBackgroundScanReport","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"BackgroundScanReport","version":"v1alpha2"}},"patch":{"description":"partially update the specified BackgroundScanReport","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1alpha2"],"operationId":"patchKyvernoIoV1alpha2NamespacedBackgroundScanReport","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1alpha2.BackgroundScanReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"BackgroundScanReport","version":"v1alpha2"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the BackgroundScanReport","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v1beta1/namespaces/{namespace}/updaterequests":{"get":{"description":"list objects of kind UpdateRequest","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1beta1"],"operationId":"listKyvernoIoV1beta1NamespacedUpdateRequest","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1beta1.UpdateRequestList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v1beta1"}},"post":{"description":"create an UpdateRequest","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1beta1"],"operationId":"createKyvernoIoV1beta1NamespacedUpdateRequest","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v1beta1.UpdateRequest"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1beta1.UpdateRequest"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v1beta1.UpdateRequest"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.v1beta1.UpdateRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v1beta1"}},"delete":{"description":"delete collection of UpdateRequest","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1beta1"],"operationId":"deleteKyvernoIoV1beta1CollectionNamespacedUpdateRequest","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v1beta1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v1beta1/namespaces/{namespace}/updaterequests/{name}":{"get":{"description":"read the specified UpdateRequest","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1beta1"],"operationId":"readKyvernoIoV1beta1NamespacedUpdateRequest","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1beta1.UpdateRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v1beta1"}},"put":{"description":"replace the specified UpdateRequest","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1beta1"],"operationId":"replaceKyvernoIoV1beta1NamespacedUpdateRequest","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v1beta1.UpdateRequest"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1beta1.UpdateRequest"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v1beta1.UpdateRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v1beta1"}},"delete":{"description":"delete an UpdateRequest","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1beta1"],"operationId":"deleteKyvernoIoV1beta1NamespacedUpdateRequest","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v1beta1"}},"patch":{"description":"partially update the specified UpdateRequest","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1beta1"],"operationId":"patchKyvernoIoV1beta1NamespacedUpdateRequest","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1beta1.UpdateRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v1beta1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the UpdateRequest","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v1beta1/namespaces/{namespace}/updaterequests/{name}/status":{"get":{"description":"read status of the specified UpdateRequest","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1beta1"],"operationId":"readKyvernoIoV1beta1NamespacedUpdateRequestStatus","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1beta1.UpdateRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v1beta1"}},"put":{"description":"replace status of the specified UpdateRequest","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1beta1"],"operationId":"replaceKyvernoIoV1beta1NamespacedUpdateRequestStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v1beta1.UpdateRequest"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1beta1.UpdateRequest"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v1beta1.UpdateRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v1beta1"}},"patch":{"description":"partially update status of the specified UpdateRequest","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1beta1"],"operationId":"patchKyvernoIoV1beta1NamespacedUpdateRequestStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1beta1.UpdateRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v1beta1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the UpdateRequest","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v1beta1/updaterequests":{"get":{"description":"list objects of kind UpdateRequest","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v1beta1"],"operationId":"listKyvernoIoV1beta1UpdateRequestForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v1beta1.UpdateRequestList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v1beta1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/kyverno.io/v2/admissionreports":{"get":{"description":"list objects of kind AdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"listKyvernoIoV2AdmissionReportForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.AdmissionReportList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"AdmissionReport","version":"v2"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/kyverno.io/v2/backgroundscanreports":{"get":{"description":"list objects of kind BackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"listKyvernoIoV2BackgroundScanReportForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.BackgroundScanReportList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"BackgroundScanReport","version":"v2"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/kyverno.io/v2/cleanuppolicies":{"get":{"description":"list objects of kind CleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"listKyvernoIoV2CleanupPolicyForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.CleanupPolicyList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/kyverno.io/v2/clusteradmissionreports":{"get":{"description":"list objects of kind ClusterAdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"listKyvernoIoV2ClusterAdmissionReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterAdmissionReportList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterAdmissionReport","version":"v2"}},"post":{"description":"create a ClusterAdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"createKyvernoIoV2ClusterAdmissionReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterAdmissionReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterAdmissionReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterAdmissionReport"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterAdmissionReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterAdmissionReport","version":"v2"}},"delete":{"description":"delete collection of ClusterAdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"deleteKyvernoIoV2CollectionClusterAdmissionReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterAdmissionReport","version":"v2"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2/clusteradmissionreports/{name}":{"get":{"description":"read the specified ClusterAdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"readKyvernoIoV2ClusterAdmissionReport","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterAdmissionReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterAdmissionReport","version":"v2"}},"put":{"description":"replace the specified ClusterAdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"replaceKyvernoIoV2ClusterAdmissionReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterAdmissionReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterAdmissionReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterAdmissionReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterAdmissionReport","version":"v2"}},"delete":{"description":"delete a ClusterAdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"deleteKyvernoIoV2ClusterAdmissionReport","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterAdmissionReport","version":"v2"}},"patch":{"description":"partially update the specified ClusterAdmissionReport","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"patchKyvernoIoV2ClusterAdmissionReport","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterAdmissionReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterAdmissionReport","version":"v2"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ClusterAdmissionReport","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2/clusterbackgroundscanreports":{"get":{"description":"list objects of kind ClusterBackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"listKyvernoIoV2ClusterBackgroundScanReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterBackgroundScanReportList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterBackgroundScanReport","version":"v2"}},"post":{"description":"create a ClusterBackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"createKyvernoIoV2ClusterBackgroundScanReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterBackgroundScanReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterBackgroundScanReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterBackgroundScanReport"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterBackgroundScanReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterBackgroundScanReport","version":"v2"}},"delete":{"description":"delete collection of ClusterBackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"deleteKyvernoIoV2CollectionClusterBackgroundScanReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterBackgroundScanReport","version":"v2"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2/clusterbackgroundscanreports/{name}":{"get":{"description":"read the specified ClusterBackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"readKyvernoIoV2ClusterBackgroundScanReport","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterBackgroundScanReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterBackgroundScanReport","version":"v2"}},"put":{"description":"replace the specified ClusterBackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"replaceKyvernoIoV2ClusterBackgroundScanReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterBackgroundScanReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterBackgroundScanReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterBackgroundScanReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterBackgroundScanReport","version":"v2"}},"delete":{"description":"delete a ClusterBackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"deleteKyvernoIoV2ClusterBackgroundScanReport","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterBackgroundScanReport","version":"v2"}},"patch":{"description":"partially update the specified ClusterBackgroundScanReport","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"patchKyvernoIoV2ClusterBackgroundScanReport","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterBackgroundScanReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterBackgroundScanReport","version":"v2"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ClusterBackgroundScanReport","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2/clustercleanuppolicies":{"get":{"description":"list objects of kind ClusterCleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"listKyvernoIoV2ClusterCleanupPolicy","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterCleanupPolicyList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2"}},"post":{"description":"create a ClusterCleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"createKyvernoIoV2ClusterCleanupPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterCleanupPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterCleanupPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterCleanupPolicy"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterCleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2"}},"delete":{"description":"delete collection of ClusterCleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"deleteKyvernoIoV2CollectionClusterCleanupPolicy","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2/clustercleanuppolicies/{name}":{"get":{"description":"read the specified ClusterCleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"readKyvernoIoV2ClusterCleanupPolicy","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterCleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2"}},"put":{"description":"replace the specified ClusterCleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"replaceKyvernoIoV2ClusterCleanupPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterCleanupPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterCleanupPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterCleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2"}},"delete":{"description":"delete a ClusterCleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"deleteKyvernoIoV2ClusterCleanupPolicy","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2"}},"patch":{"description":"partially update the specified ClusterCleanupPolicy","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"patchKyvernoIoV2ClusterCleanupPolicy","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterCleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ClusterCleanupPolicy","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2/clustercleanuppolicies/{name}/status":{"get":{"description":"read status of the specified ClusterCleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"readKyvernoIoV2ClusterCleanupPolicyStatus","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterCleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2"}},"put":{"description":"replace status of the specified ClusterCleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"replaceKyvernoIoV2ClusterCleanupPolicyStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterCleanupPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterCleanupPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterCleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2"}},"patch":{"description":"partially update status of the specified ClusterCleanupPolicy","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"patchKyvernoIoV2ClusterCleanupPolicyStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.ClusterCleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ClusterCleanupPolicy","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2/namespaces/{namespace}/admissionreports":{"get":{"description":"list objects of kind AdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"listKyvernoIoV2NamespacedAdmissionReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.AdmissionReportList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"AdmissionReport","version":"v2"}},"post":{"description":"create an AdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"createKyvernoIoV2NamespacedAdmissionReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2.AdmissionReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.AdmissionReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2.AdmissionReport"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.v2.AdmissionReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"AdmissionReport","version":"v2"}},"delete":{"description":"delete collection of AdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"deleteKyvernoIoV2CollectionNamespacedAdmissionReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"AdmissionReport","version":"v2"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2/namespaces/{namespace}/admissionreports/{name}":{"get":{"description":"read the specified AdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"readKyvernoIoV2NamespacedAdmissionReport","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.AdmissionReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"AdmissionReport","version":"v2"}},"put":{"description":"replace the specified AdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"replaceKyvernoIoV2NamespacedAdmissionReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2.AdmissionReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.AdmissionReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2.AdmissionReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"AdmissionReport","version":"v2"}},"delete":{"description":"delete an AdmissionReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"deleteKyvernoIoV2NamespacedAdmissionReport","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"AdmissionReport","version":"v2"}},"patch":{"description":"partially update the specified AdmissionReport","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"patchKyvernoIoV2NamespacedAdmissionReport","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.AdmissionReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"AdmissionReport","version":"v2"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the AdmissionReport","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2/namespaces/{namespace}/backgroundscanreports":{"get":{"description":"list objects of kind BackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"listKyvernoIoV2NamespacedBackgroundScanReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.BackgroundScanReportList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"BackgroundScanReport","version":"v2"}},"post":{"description":"create a BackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"createKyvernoIoV2NamespacedBackgroundScanReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2.BackgroundScanReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.BackgroundScanReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2.BackgroundScanReport"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.v2.BackgroundScanReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"BackgroundScanReport","version":"v2"}},"delete":{"description":"delete collection of BackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"deleteKyvernoIoV2CollectionNamespacedBackgroundScanReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"BackgroundScanReport","version":"v2"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2/namespaces/{namespace}/backgroundscanreports/{name}":{"get":{"description":"read the specified BackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"readKyvernoIoV2NamespacedBackgroundScanReport","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.BackgroundScanReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"BackgroundScanReport","version":"v2"}},"put":{"description":"replace the specified BackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"replaceKyvernoIoV2NamespacedBackgroundScanReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2.BackgroundScanReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.BackgroundScanReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2.BackgroundScanReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"BackgroundScanReport","version":"v2"}},"delete":{"description":"delete a BackgroundScanReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"deleteKyvernoIoV2NamespacedBackgroundScanReport","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"BackgroundScanReport","version":"v2"}},"patch":{"description":"partially update the specified BackgroundScanReport","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"patchKyvernoIoV2NamespacedBackgroundScanReport","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.BackgroundScanReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"BackgroundScanReport","version":"v2"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the BackgroundScanReport","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2/namespaces/{namespace}/cleanuppolicies":{"get":{"description":"list objects of kind CleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"listKyvernoIoV2NamespacedCleanupPolicy","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.CleanupPolicyList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2"}},"post":{"description":"create a CleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"createKyvernoIoV2NamespacedCleanupPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2.CleanupPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.CleanupPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2.CleanupPolicy"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.v2.CleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2"}},"delete":{"description":"delete collection of CleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"deleteKyvernoIoV2CollectionNamespacedCleanupPolicy","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2/namespaces/{namespace}/cleanuppolicies/{name}":{"get":{"description":"read the specified CleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"readKyvernoIoV2NamespacedCleanupPolicy","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.CleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2"}},"put":{"description":"replace the specified CleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"replaceKyvernoIoV2NamespacedCleanupPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2.CleanupPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.CleanupPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2.CleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2"}},"delete":{"description":"delete a CleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"deleteKyvernoIoV2NamespacedCleanupPolicy","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2"}},"patch":{"description":"partially update the specified CleanupPolicy","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"patchKyvernoIoV2NamespacedCleanupPolicy","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.CleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the CleanupPolicy","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2/namespaces/{namespace}/cleanuppolicies/{name}/status":{"get":{"description":"read status of the specified CleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"readKyvernoIoV2NamespacedCleanupPolicyStatus","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.CleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2"}},"put":{"description":"replace status of the specified CleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"replaceKyvernoIoV2NamespacedCleanupPolicyStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2.CleanupPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.CleanupPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2.CleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2"}},"patch":{"description":"partially update status of the specified CleanupPolicy","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"patchKyvernoIoV2NamespacedCleanupPolicyStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.CleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the CleanupPolicy","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2/namespaces/{namespace}/policyexceptions":{"get":{"description":"list objects of kind PolicyException","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"listKyvernoIoV2NamespacedPolicyException","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.PolicyExceptionList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"PolicyException","version":"v2"}},"post":{"description":"create a PolicyException","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"createKyvernoIoV2NamespacedPolicyException","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2.PolicyException"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.PolicyException"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2.PolicyException"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.v2.PolicyException"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"PolicyException","version":"v2"}},"delete":{"description":"delete collection of PolicyException","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"deleteKyvernoIoV2CollectionNamespacedPolicyException","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"PolicyException","version":"v2"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2/namespaces/{namespace}/policyexceptions/{name}":{"get":{"description":"read the specified PolicyException","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"readKyvernoIoV2NamespacedPolicyException","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.PolicyException"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"PolicyException","version":"v2"}},"put":{"description":"replace the specified PolicyException","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"replaceKyvernoIoV2NamespacedPolicyException","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2.PolicyException"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.PolicyException"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2.PolicyException"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"PolicyException","version":"v2"}},"delete":{"description":"delete a PolicyException","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"deleteKyvernoIoV2NamespacedPolicyException","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"PolicyException","version":"v2"}},"patch":{"description":"partially update the specified PolicyException","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"patchKyvernoIoV2NamespacedPolicyException","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.PolicyException"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"PolicyException","version":"v2"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the PolicyException","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2/namespaces/{namespace}/updaterequests":{"get":{"description":"list objects of kind UpdateRequest","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"listKyvernoIoV2NamespacedUpdateRequest","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.UpdateRequestList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v2"}},"post":{"description":"create an UpdateRequest","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"createKyvernoIoV2NamespacedUpdateRequest","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2.UpdateRequest"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.UpdateRequest"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2.UpdateRequest"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.v2.UpdateRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v2"}},"delete":{"description":"delete collection of UpdateRequest","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"deleteKyvernoIoV2CollectionNamespacedUpdateRequest","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v2"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2/namespaces/{namespace}/updaterequests/{name}":{"get":{"description":"read the specified UpdateRequest","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"readKyvernoIoV2NamespacedUpdateRequest","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.UpdateRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v2"}},"put":{"description":"replace the specified UpdateRequest","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"replaceKyvernoIoV2NamespacedUpdateRequest","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2.UpdateRequest"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.UpdateRequest"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2.UpdateRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v2"}},"delete":{"description":"delete an UpdateRequest","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"deleteKyvernoIoV2NamespacedUpdateRequest","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v2"}},"patch":{"description":"partially update the specified UpdateRequest","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"patchKyvernoIoV2NamespacedUpdateRequest","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.UpdateRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v2"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the UpdateRequest","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2/namespaces/{namespace}/updaterequests/{name}/status":{"get":{"description":"read status of the specified UpdateRequest","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"readKyvernoIoV2NamespacedUpdateRequestStatus","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.UpdateRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v2"}},"put":{"description":"replace status of the specified UpdateRequest","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"replaceKyvernoIoV2NamespacedUpdateRequestStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2.UpdateRequest"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.UpdateRequest"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2.UpdateRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v2"}},"patch":{"description":"partially update status of the specified UpdateRequest","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"patchKyvernoIoV2NamespacedUpdateRequestStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.UpdateRequest"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v2"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the UpdateRequest","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2/policyexceptions":{"get":{"description":"list objects of kind PolicyException","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"listKyvernoIoV2PolicyExceptionForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.PolicyExceptionList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"PolicyException","version":"v2"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/kyverno.io/v2/updaterequests":{"get":{"description":"list objects of kind UpdateRequest","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2"],"operationId":"listKyvernoIoV2UpdateRequestForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2.UpdateRequestList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"UpdateRequest","version":"v2"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/kyverno.io/v2beta1/cleanuppolicies":{"get":{"description":"list objects of kind CleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"listKyvernoIoV2beta1CleanupPolicyForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.CleanupPolicyList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2beta1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/kyverno.io/v2beta1/clustercleanuppolicies":{"get":{"description":"list objects of kind ClusterCleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"listKyvernoIoV2beta1ClusterCleanupPolicy","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterCleanupPolicyList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2beta1"}},"post":{"description":"create a ClusterCleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"createKyvernoIoV2beta1ClusterCleanupPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterCleanupPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterCleanupPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterCleanupPolicy"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterCleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2beta1"}},"delete":{"description":"delete collection of ClusterCleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"deleteKyvernoIoV2beta1CollectionClusterCleanupPolicy","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2beta1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2beta1/clustercleanuppolicies/{name}":{"get":{"description":"read the specified ClusterCleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"readKyvernoIoV2beta1ClusterCleanupPolicy","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterCleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2beta1"}},"put":{"description":"replace the specified ClusterCleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"replaceKyvernoIoV2beta1ClusterCleanupPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterCleanupPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterCleanupPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterCleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2beta1"}},"delete":{"description":"delete a ClusterCleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"deleteKyvernoIoV2beta1ClusterCleanupPolicy","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2beta1"}},"patch":{"description":"partially update the specified ClusterCleanupPolicy","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"patchKyvernoIoV2beta1ClusterCleanupPolicy","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterCleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2beta1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ClusterCleanupPolicy","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2beta1/clustercleanuppolicies/{name}/status":{"get":{"description":"read status of the specified ClusterCleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"readKyvernoIoV2beta1ClusterCleanupPolicyStatus","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterCleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2beta1"}},"put":{"description":"replace status of the specified ClusterCleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"replaceKyvernoIoV2beta1ClusterCleanupPolicyStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterCleanupPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterCleanupPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterCleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2beta1"}},"patch":{"description":"partially update status of the specified ClusterCleanupPolicy","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"patchKyvernoIoV2beta1ClusterCleanupPolicyStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterCleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2beta1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ClusterCleanupPolicy","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2beta1/clusterpolicies":{"get":{"description":"list objects of kind ClusterPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"listKyvernoIoV2beta1ClusterPolicy","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterPolicyList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterPolicy","version":"v2beta1"}},"post":{"description":"create a ClusterPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"createKyvernoIoV2beta1ClusterPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterPolicy"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterPolicy","version":"v2beta1"}},"delete":{"description":"delete collection of ClusterPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"deleteKyvernoIoV2beta1CollectionClusterPolicy","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterPolicy","version":"v2beta1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2beta1/clusterpolicies/{name}":{"get":{"description":"read the specified ClusterPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"readKyvernoIoV2beta1ClusterPolicy","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterPolicy","version":"v2beta1"}},"put":{"description":"replace the specified ClusterPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"replaceKyvernoIoV2beta1ClusterPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterPolicy","version":"v2beta1"}},"delete":{"description":"delete a ClusterPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"deleteKyvernoIoV2beta1ClusterPolicy","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterPolicy","version":"v2beta1"}},"patch":{"description":"partially update the specified ClusterPolicy","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"patchKyvernoIoV2beta1ClusterPolicy","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterPolicy","version":"v2beta1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ClusterPolicy","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2beta1/clusterpolicies/{name}/status":{"get":{"description":"read status of the specified ClusterPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"readKyvernoIoV2beta1ClusterPolicyStatus","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterPolicy","version":"v2beta1"}},"put":{"description":"replace status of the specified ClusterPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"replaceKyvernoIoV2beta1ClusterPolicyStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterPolicy","version":"v2beta1"}},"patch":{"description":"partially update status of the specified ClusterPolicy","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"patchKyvernoIoV2beta1ClusterPolicyStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"ClusterPolicy","version":"v2beta1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ClusterPolicy","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2beta1/namespaces/{namespace}/cleanuppolicies":{"get":{"description":"list objects of kind CleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"listKyvernoIoV2beta1NamespacedCleanupPolicy","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.CleanupPolicyList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2beta1"}},"post":{"description":"create a CleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"createKyvernoIoV2beta1NamespacedCleanupPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2beta1.CleanupPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.CleanupPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.CleanupPolicy"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.CleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2beta1"}},"delete":{"description":"delete collection of CleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"deleteKyvernoIoV2beta1CollectionNamespacedCleanupPolicy","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2beta1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2beta1/namespaces/{namespace}/cleanuppolicies/{name}":{"get":{"description":"read the specified CleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"readKyvernoIoV2beta1NamespacedCleanupPolicy","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.CleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2beta1"}},"put":{"description":"replace the specified CleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"replaceKyvernoIoV2beta1NamespacedCleanupPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2beta1.CleanupPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.CleanupPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.CleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2beta1"}},"delete":{"description":"delete a CleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"deleteKyvernoIoV2beta1NamespacedCleanupPolicy","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2beta1"}},"patch":{"description":"partially update the specified CleanupPolicy","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"patchKyvernoIoV2beta1NamespacedCleanupPolicy","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.CleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2beta1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the CleanupPolicy","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2beta1/namespaces/{namespace}/cleanuppolicies/{name}/status":{"get":{"description":"read status of the specified CleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"readKyvernoIoV2beta1NamespacedCleanupPolicyStatus","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.CleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2beta1"}},"put":{"description":"replace status of the specified CleanupPolicy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"replaceKyvernoIoV2beta1NamespacedCleanupPolicyStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2beta1.CleanupPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.CleanupPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.CleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2beta1"}},"patch":{"description":"partially update status of the specified CleanupPolicy","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"patchKyvernoIoV2beta1NamespacedCleanupPolicyStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.CleanupPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2beta1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the CleanupPolicy","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2beta1/namespaces/{namespace}/policies":{"get":{"description":"list objects of kind Policy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"listKyvernoIoV2beta1NamespacedPolicy","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.PolicyList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v2beta1"}},"post":{"description":"create a Policy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"createKyvernoIoV2beta1NamespacedPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2beta1.Policy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.Policy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.Policy"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.Policy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v2beta1"}},"delete":{"description":"delete collection of Policy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"deleteKyvernoIoV2beta1CollectionNamespacedPolicy","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v2beta1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2beta1/namespaces/{namespace}/policies/{name}":{"get":{"description":"read the specified Policy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"readKyvernoIoV2beta1NamespacedPolicy","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.Policy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v2beta1"}},"put":{"description":"replace the specified Policy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"replaceKyvernoIoV2beta1NamespacedPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2beta1.Policy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.Policy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.Policy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v2beta1"}},"delete":{"description":"delete a Policy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"deleteKyvernoIoV2beta1NamespacedPolicy","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v2beta1"}},"patch":{"description":"partially update the specified Policy","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"patchKyvernoIoV2beta1NamespacedPolicy","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.Policy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v2beta1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Policy","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2beta1/namespaces/{namespace}/policies/{name}/status":{"get":{"description":"read status of the specified Policy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"readKyvernoIoV2beta1NamespacedPolicyStatus","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.Policy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v2beta1"}},"put":{"description":"replace status of the specified Policy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"replaceKyvernoIoV2beta1NamespacedPolicyStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2beta1.Policy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.Policy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.Policy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v2beta1"}},"patch":{"description":"partially update status of the specified Policy","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"patchKyvernoIoV2beta1NamespacedPolicyStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.Policy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v2beta1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Policy","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2beta1/namespaces/{namespace}/policyexceptions":{"get":{"description":"list objects of kind PolicyException","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"listKyvernoIoV2beta1NamespacedPolicyException","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.PolicyExceptionList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"PolicyException","version":"v2beta1"}},"post":{"description":"create a PolicyException","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"createKyvernoIoV2beta1NamespacedPolicyException","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2beta1.PolicyException"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.PolicyException"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.PolicyException"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.PolicyException"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"PolicyException","version":"v2beta1"}},"delete":{"description":"delete collection of PolicyException","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"deleteKyvernoIoV2beta1CollectionNamespacedPolicyException","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"PolicyException","version":"v2beta1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2beta1/namespaces/{namespace}/policyexceptions/{name}":{"get":{"description":"read the specified PolicyException","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"readKyvernoIoV2beta1NamespacedPolicyException","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.PolicyException"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"PolicyException","version":"v2beta1"}},"put":{"description":"replace the specified PolicyException","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"replaceKyvernoIoV2beta1NamespacedPolicyException","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.v2beta1.PolicyException"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.PolicyException"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.PolicyException"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"PolicyException","version":"v2beta1"}},"delete":{"description":"delete a PolicyException","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"deleteKyvernoIoV2beta1NamespacedPolicyException","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"PolicyException","version":"v2beta1"}},"patch":{"description":"partially update the specified PolicyException","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"patchKyvernoIoV2beta1NamespacedPolicyException","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.PolicyException"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"PolicyException","version":"v2beta1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the PolicyException","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/kyverno.io/v2beta1/policies":{"get":{"description":"list objects of kind Policy","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"listKyvernoIoV2beta1PolicyForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.PolicyList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"Policy","version":"v2beta1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/kyverno.io/v2beta1/policyexceptions":{"get":{"description":"list objects of kind PolicyException","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["kyvernoIo_v2beta1"],"operationId":"listKyvernoIoV2beta1PolicyExceptionForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.v2beta1.PolicyExceptionList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"kyverno.io","kind":"PolicyException","version":"v2beta1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/networking.k8s.io/":{"get":{"description":"get information of a group","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking"],"operationId":"getNetworkingAPIGroup","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"}},"401":{"description":"Unauthorized"}}}},"/apis/networking.k8s.io/v1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"getNetworkingV1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/networking.k8s.io/v1/ingressclasses":{"get":{"description":"list or watch objects of kind IngressClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["networking_v1"],"operationId":"listNetworkingV1IngressClass","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressClassList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"IngressClass","version":"v1"}},"post":{"description":"create an IngressClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"createNetworkingV1IngressClass","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressClass"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressClass"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressClass"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressClass"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"IngressClass","version":"v1"}},"delete":{"description":"delete collection of IngressClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"deleteNetworkingV1CollectionIngressClass","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"IngressClass","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/networking.k8s.io/v1/ingressclasses/{name}":{"get":{"description":"read the specified IngressClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"readNetworkingV1IngressClass","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressClass"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"IngressClass","version":"v1"}},"put":{"description":"replace the specified IngressClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"replaceNetworkingV1IngressClass","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressClass"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressClass"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressClass"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"IngressClass","version":"v1"}},"delete":{"description":"delete an IngressClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"deleteNetworkingV1IngressClass","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"IngressClass","version":"v1"}},"patch":{"description":"partially update the specified IngressClass","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"patchNetworkingV1IngressClass","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressClass"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressClass"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"IngressClass","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the IngressClass","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/networking.k8s.io/v1/ingresses":{"get":{"description":"list or watch objects of kind Ingress","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["networking_v1"],"operationId":"listNetworkingV1IngressForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"Ingress","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/networking.k8s.io/v1/namespaces/{namespace}/ingresses":{"get":{"description":"list or watch objects of kind Ingress","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["networking_v1"],"operationId":"listNetworkingV1NamespacedIngress","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"Ingress","version":"v1"}},"post":{"description":"create an Ingress","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"createNetworkingV1NamespacedIngress","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.Ingress"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.Ingress"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.Ingress"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.Ingress"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"Ingress","version":"v1"}},"delete":{"description":"delete collection of Ingress","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"deleteNetworkingV1CollectionNamespacedIngress","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"Ingress","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/networking.k8s.io/v1/namespaces/{namespace}/ingresses/{name}":{"get":{"description":"read the specified Ingress","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"readNetworkingV1NamespacedIngress","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.Ingress"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"Ingress","version":"v1"}},"put":{"description":"replace the specified Ingress","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"replaceNetworkingV1NamespacedIngress","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.Ingress"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.Ingress"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.Ingress"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"Ingress","version":"v1"}},"delete":{"description":"delete an Ingress","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"deleteNetworkingV1NamespacedIngress","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"Ingress","version":"v1"}},"patch":{"description":"partially update the specified Ingress","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"patchNetworkingV1NamespacedIngress","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.Ingress"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.Ingress"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"Ingress","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Ingress","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/networking.k8s.io/v1/namespaces/{namespace}/ingresses/{name}/status":{"get":{"description":"read status of the specified Ingress","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"readNetworkingV1NamespacedIngressStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.Ingress"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"Ingress","version":"v1"}},"put":{"description":"replace status of the specified Ingress","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"replaceNetworkingV1NamespacedIngressStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.Ingress"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.Ingress"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.Ingress"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"Ingress","version":"v1"}},"patch":{"description":"partially update status of the specified Ingress","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"patchNetworkingV1NamespacedIngressStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.Ingress"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.Ingress"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"Ingress","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Ingress","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies":{"get":{"description":"list or watch objects of kind NetworkPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["networking_v1"],"operationId":"listNetworkingV1NamespacedNetworkPolicy","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicyList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"NetworkPolicy","version":"v1"}},"post":{"description":"create a NetworkPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"createNetworkingV1NamespacedNetworkPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicy"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"NetworkPolicy","version":"v1"}},"delete":{"description":"delete collection of NetworkPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"deleteNetworkingV1CollectionNamespacedNetworkPolicy","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"NetworkPolicy","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies/{name}":{"get":{"description":"read the specified NetworkPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"readNetworkingV1NamespacedNetworkPolicy","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"NetworkPolicy","version":"v1"}},"put":{"description":"replace the specified NetworkPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"replaceNetworkingV1NamespacedNetworkPolicy","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicy"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"NetworkPolicy","version":"v1"}},"delete":{"description":"delete a NetworkPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"deleteNetworkingV1NamespacedNetworkPolicy","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"NetworkPolicy","version":"v1"}},"patch":{"description":"partially update the specified NetworkPolicy","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["networking_v1"],"operationId":"patchNetworkingV1NamespacedNetworkPolicy","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicy"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicy"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"NetworkPolicy","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the NetworkPolicy","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/networking.k8s.io/v1/networkpolicies":{"get":{"description":"list or watch objects of kind NetworkPolicy","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["networking_v1"],"operationId":"listNetworkingV1NetworkPolicyForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicyList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"NetworkPolicy","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/networking.k8s.io/v1/watch/ingressclasses":{"get":{"description":"watch individual changes to a list of IngressClass. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["networking_v1"],"operationId":"watchNetworkingV1IngressClassList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"IngressClass","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/networking.k8s.io/v1/watch/ingressclasses/{name}":{"get":{"description":"watch changes to an object of kind IngressClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["networking_v1"],"operationId":"watchNetworkingV1IngressClass","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"IngressClass","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the IngressClass","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/networking.k8s.io/v1/watch/ingresses":{"get":{"description":"watch individual changes to a list of Ingress. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["networking_v1"],"operationId":"watchNetworkingV1IngressListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"Ingress","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/networking.k8s.io/v1/watch/namespaces/{namespace}/ingresses":{"get":{"description":"watch individual changes to a list of Ingress. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["networking_v1"],"operationId":"watchNetworkingV1NamespacedIngressList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"Ingress","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/networking.k8s.io/v1/watch/namespaces/{namespace}/ingresses/{name}":{"get":{"description":"watch changes to an object of kind Ingress. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["networking_v1"],"operationId":"watchNetworkingV1NamespacedIngress","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"Ingress","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the Ingress","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/networking.k8s.io/v1/watch/namespaces/{namespace}/networkpolicies":{"get":{"description":"watch individual changes to a list of NetworkPolicy. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["networking_v1"],"operationId":"watchNetworkingV1NamespacedNetworkPolicyList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"NetworkPolicy","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/networking.k8s.io/v1/watch/namespaces/{namespace}/networkpolicies/{name}":{"get":{"description":"watch changes to an object of kind NetworkPolicy. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["networking_v1"],"operationId":"watchNetworkingV1NamespacedNetworkPolicy","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"NetworkPolicy","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the NetworkPolicy","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/networking.k8s.io/v1/watch/networkpolicies":{"get":{"description":"watch individual changes to a list of NetworkPolicy. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["networking_v1"],"operationId":"watchNetworkingV1NetworkPolicyListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"networking.k8s.io","kind":"NetworkPolicy","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/node.k8s.io/":{"get":{"description":"get information of a group","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["node"],"operationId":"getNodeAPIGroup","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"}},"401":{"description":"Unauthorized"}}}},"/apis/node.k8s.io/v1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["node_v1"],"operationId":"getNodeV1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/node.k8s.io/v1/runtimeclasses":{"get":{"description":"list or watch objects of kind RuntimeClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["node_v1"],"operationId":"listNodeV1RuntimeClass","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.node.v1.RuntimeClassList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"node.k8s.io","kind":"RuntimeClass","version":"v1"}},"post":{"description":"create a RuntimeClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["node_v1"],"operationId":"createNodeV1RuntimeClass","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.node.v1.RuntimeClass"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.node.v1.RuntimeClass"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.node.v1.RuntimeClass"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.node.v1.RuntimeClass"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"node.k8s.io","kind":"RuntimeClass","version":"v1"}},"delete":{"description":"delete collection of RuntimeClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["node_v1"],"operationId":"deleteNodeV1CollectionRuntimeClass","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"node.k8s.io","kind":"RuntimeClass","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/node.k8s.io/v1/runtimeclasses/{name}":{"get":{"description":"read the specified RuntimeClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["node_v1"],"operationId":"readNodeV1RuntimeClass","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.node.v1.RuntimeClass"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"node.k8s.io","kind":"RuntimeClass","version":"v1"}},"put":{"description":"replace the specified RuntimeClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["node_v1"],"operationId":"replaceNodeV1RuntimeClass","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.node.v1.RuntimeClass"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.node.v1.RuntimeClass"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.node.v1.RuntimeClass"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"node.k8s.io","kind":"RuntimeClass","version":"v1"}},"delete":{"description":"delete a RuntimeClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["node_v1"],"operationId":"deleteNodeV1RuntimeClass","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"node.k8s.io","kind":"RuntimeClass","version":"v1"}},"patch":{"description":"partially update the specified RuntimeClass","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["node_v1"],"operationId":"patchNodeV1RuntimeClass","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.node.v1.RuntimeClass"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.node.v1.RuntimeClass"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"node.k8s.io","kind":"RuntimeClass","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the RuntimeClass","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/node.k8s.io/v1/watch/runtimeclasses":{"get":{"description":"watch individual changes to a list of RuntimeClass. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["node_v1"],"operationId":"watchNodeV1RuntimeClassList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"node.k8s.io","kind":"RuntimeClass","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/node.k8s.io/v1/watch/runtimeclasses/{name}":{"get":{"description":"watch changes to an object of kind RuntimeClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["node_v1"],"operationId":"watchNodeV1RuntimeClass","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"node.k8s.io","kind":"RuntimeClass","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the RuntimeClass","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/policy/":{"get":{"description":"get information of a group","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["policy"],"operationId":"getPolicyAPIGroup","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"}},"401":{"description":"Unauthorized"}}}},"/apis/policy/v1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["policy_v1"],"operationId":"getPolicyV1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets":{"get":{"description":"list or watch objects of kind PodDisruptionBudget","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["policy_v1"],"operationId":"listPolicyV1NamespacedPodDisruptionBudget","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"policy","kind":"PodDisruptionBudget","version":"v1"}},"post":{"description":"create a PodDisruptionBudget","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["policy_v1"],"operationId":"createPolicyV1NamespacedPodDisruptionBudget","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"policy","kind":"PodDisruptionBudget","version":"v1"}},"delete":{"description":"delete collection of PodDisruptionBudget","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["policy_v1"],"operationId":"deletePolicyV1CollectionNamespacedPodDisruptionBudget","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"policy","kind":"PodDisruptionBudget","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}":{"get":{"description":"read the specified PodDisruptionBudget","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["policy_v1"],"operationId":"readPolicyV1NamespacedPodDisruptionBudget","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"policy","kind":"PodDisruptionBudget","version":"v1"}},"put":{"description":"replace the specified PodDisruptionBudget","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["policy_v1"],"operationId":"replacePolicyV1NamespacedPodDisruptionBudget","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"policy","kind":"PodDisruptionBudget","version":"v1"}},"delete":{"description":"delete a PodDisruptionBudget","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["policy_v1"],"operationId":"deletePolicyV1NamespacedPodDisruptionBudget","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"policy","kind":"PodDisruptionBudget","version":"v1"}},"patch":{"description":"partially update the specified PodDisruptionBudget","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["policy_v1"],"operationId":"patchPolicyV1NamespacedPodDisruptionBudget","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"policy","kind":"PodDisruptionBudget","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the PodDisruptionBudget","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}/status":{"get":{"description":"read status of the specified PodDisruptionBudget","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["policy_v1"],"operationId":"readPolicyV1NamespacedPodDisruptionBudgetStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"policy","kind":"PodDisruptionBudget","version":"v1"}},"put":{"description":"replace status of the specified PodDisruptionBudget","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["policy_v1"],"operationId":"replacePolicyV1NamespacedPodDisruptionBudgetStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"policy","kind":"PodDisruptionBudget","version":"v1"}},"patch":{"description":"partially update status of the specified PodDisruptionBudget","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["policy_v1"],"operationId":"patchPolicyV1NamespacedPodDisruptionBudgetStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"policy","kind":"PodDisruptionBudget","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the PodDisruptionBudget","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/policy/v1/poddisruptionbudgets":{"get":{"description":"list or watch objects of kind PodDisruptionBudget","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["policy_v1"],"operationId":"listPolicyV1PodDisruptionBudgetForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"policy","kind":"PodDisruptionBudget","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/policy/v1/watch/namespaces/{namespace}/poddisruptionbudgets":{"get":{"description":"watch individual changes to a list of PodDisruptionBudget. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["policy_v1"],"operationId":"watchPolicyV1NamespacedPodDisruptionBudgetList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"policy","kind":"PodDisruptionBudget","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/policy/v1/watch/namespaces/{namespace}/poddisruptionbudgets/{name}":{"get":{"description":"watch changes to an object of kind PodDisruptionBudget. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["policy_v1"],"operationId":"watchPolicyV1NamespacedPodDisruptionBudget","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"policy","kind":"PodDisruptionBudget","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the PodDisruptionBudget","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/policy/v1/watch/poddisruptionbudgets":{"get":{"description":"watch individual changes to a list of PodDisruptionBudget. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["policy_v1"],"operationId":"watchPolicyV1PodDisruptionBudgetListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"policy","kind":"PodDisruptionBudget","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/rbac.authorization.k8s.io/":{"get":{"description":"get information of a group","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization"],"operationId":"getRbacAuthorizationAPIGroup","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"}},"401":{"description":"Unauthorized"}}}},"/apis/rbac.authorization.k8s.io/v1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"getRbacAuthorizationV1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/rbac.authorization.k8s.io/v1/clusterrolebindings":{"get":{"description":"list or watch objects of kind ClusterRoleBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"listRbacAuthorizationV1ClusterRoleBinding","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRoleBindingList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"ClusterRoleBinding","version":"v1"}},"post":{"description":"create a ClusterRoleBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"createRbacAuthorizationV1ClusterRoleBinding","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"ClusterRoleBinding","version":"v1"}},"delete":{"description":"delete collection of ClusterRoleBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"deleteRbacAuthorizationV1CollectionClusterRoleBinding","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"ClusterRoleBinding","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/{name}":{"get":{"description":"read the specified ClusterRoleBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"readRbacAuthorizationV1ClusterRoleBinding","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"ClusterRoleBinding","version":"v1"}},"put":{"description":"replace the specified ClusterRoleBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"replaceRbacAuthorizationV1ClusterRoleBinding","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"ClusterRoleBinding","version":"v1"}},"delete":{"description":"delete a ClusterRoleBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"deleteRbacAuthorizationV1ClusterRoleBinding","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"ClusterRoleBinding","version":"v1"}},"patch":{"description":"partially update the specified ClusterRoleBinding","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"patchRbacAuthorizationV1ClusterRoleBinding","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"ClusterRoleBinding","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ClusterRoleBinding","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/rbac.authorization.k8s.io/v1/clusterroles":{"get":{"description":"list or watch objects of kind ClusterRole","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"listRbacAuthorizationV1ClusterRole","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRoleList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"ClusterRole","version":"v1"}},"post":{"description":"create a ClusterRole","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"createRbacAuthorizationV1ClusterRole","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRole"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRole"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRole"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRole"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"ClusterRole","version":"v1"}},"delete":{"description":"delete collection of ClusterRole","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"deleteRbacAuthorizationV1CollectionClusterRole","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"ClusterRole","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/rbac.authorization.k8s.io/v1/clusterroles/{name}":{"get":{"description":"read the specified ClusterRole","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"readRbacAuthorizationV1ClusterRole","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRole"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"ClusterRole","version":"v1"}},"put":{"description":"replace the specified ClusterRole","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"replaceRbacAuthorizationV1ClusterRole","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRole"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRole"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRole"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"ClusterRole","version":"v1"}},"delete":{"description":"delete a ClusterRole","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"deleteRbacAuthorizationV1ClusterRole","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"ClusterRole","version":"v1"}},"patch":{"description":"partially update the specified ClusterRole","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"patchRbacAuthorizationV1ClusterRole","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRole"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRole"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"ClusterRole","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ClusterRole","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings":{"get":{"description":"list or watch objects of kind RoleBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"listRbacAuthorizationV1NamespacedRoleBinding","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.RoleBindingList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"}},"post":{"description":"create a RoleBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"createRbacAuthorizationV1NamespacedRoleBinding","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.RoleBinding"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.RoleBinding"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.RoleBinding"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.RoleBinding"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"}},"delete":{"description":"delete collection of RoleBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"deleteRbacAuthorizationV1CollectionNamespacedRoleBinding","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings/{name}":{"get":{"description":"read the specified RoleBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"readRbacAuthorizationV1NamespacedRoleBinding","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.RoleBinding"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"}},"put":{"description":"replace the specified RoleBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"replaceRbacAuthorizationV1NamespacedRoleBinding","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.RoleBinding"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.RoleBinding"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.RoleBinding"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"}},"delete":{"description":"delete a RoleBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"deleteRbacAuthorizationV1NamespacedRoleBinding","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"}},"patch":{"description":"partially update the specified RoleBinding","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"patchRbacAuthorizationV1NamespacedRoleBinding","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.RoleBinding"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.RoleBinding"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the RoleBinding","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles":{"get":{"description":"list or watch objects of kind Role","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"listRbacAuthorizationV1NamespacedRole","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.RoleList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"}},"post":{"description":"create a Role","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"createRbacAuthorizationV1NamespacedRole","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.Role"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.Role"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.Role"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.Role"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"}},"delete":{"description":"delete collection of Role","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"deleteRbacAuthorizationV1CollectionNamespacedRole","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles/{name}":{"get":{"description":"read the specified Role","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"readRbacAuthorizationV1NamespacedRole","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.Role"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"}},"put":{"description":"replace the specified Role","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"replaceRbacAuthorizationV1NamespacedRole","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.Role"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.Role"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.Role"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"}},"delete":{"description":"delete a Role","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"deleteRbacAuthorizationV1NamespacedRole","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"}},"patch":{"description":"partially update the specified Role","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"patchRbacAuthorizationV1NamespacedRole","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.Role"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.Role"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the Role","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/rbac.authorization.k8s.io/v1/rolebindings":{"get":{"description":"list or watch objects of kind RoleBinding","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"listRbacAuthorizationV1RoleBindingForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.RoleBindingList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/rbac.authorization.k8s.io/v1/roles":{"get":{"description":"list or watch objects of kind Role","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"listRbacAuthorizationV1RoleForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.rbac.v1.RoleList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/rbac.authorization.k8s.io/v1/watch/clusterrolebindings":{"get":{"description":"watch individual changes to a list of ClusterRoleBinding. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"watchRbacAuthorizationV1ClusterRoleBindingList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"ClusterRoleBinding","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/rbac.authorization.k8s.io/v1/watch/clusterrolebindings/{name}":{"get":{"description":"watch changes to an object of kind ClusterRoleBinding. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"watchRbacAuthorizationV1ClusterRoleBinding","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"ClusterRoleBinding","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the ClusterRoleBinding","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/rbac.authorization.k8s.io/v1/watch/clusterroles":{"get":{"description":"watch individual changes to a list of ClusterRole. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"watchRbacAuthorizationV1ClusterRoleList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"ClusterRole","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/rbac.authorization.k8s.io/v1/watch/clusterroles/{name}":{"get":{"description":"watch changes to an object of kind ClusterRole. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"watchRbacAuthorizationV1ClusterRole","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"ClusterRole","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the ClusterRole","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/rbac.authorization.k8s.io/v1/watch/namespaces/{namespace}/rolebindings":{"get":{"description":"watch individual changes to a list of RoleBinding. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"watchRbacAuthorizationV1NamespacedRoleBindingList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/rbac.authorization.k8s.io/v1/watch/namespaces/{namespace}/rolebindings/{name}":{"get":{"description":"watch changes to an object of kind RoleBinding. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"watchRbacAuthorizationV1NamespacedRoleBinding","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the RoleBinding","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/rbac.authorization.k8s.io/v1/watch/namespaces/{namespace}/roles":{"get":{"description":"watch individual changes to a list of Role. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"watchRbacAuthorizationV1NamespacedRoleList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/rbac.authorization.k8s.io/v1/watch/namespaces/{namespace}/roles/{name}":{"get":{"description":"watch changes to an object of kind Role. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"watchRbacAuthorizationV1NamespacedRole","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the Role","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/rbac.authorization.k8s.io/v1/watch/rolebindings":{"get":{"description":"watch individual changes to a list of RoleBinding. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"watchRbacAuthorizationV1RoleBindingListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/rbac.authorization.k8s.io/v1/watch/roles":{"get":{"description":"watch individual changes to a list of Role. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["rbacAuthorization_v1"],"operationId":"watchRbacAuthorizationV1RoleListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/reports.kyverno.io/v1/clusterephemeralreports":{"get":{"description":"list objects of kind ClusterEphemeralReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["reportsKyvernoIo_v1"],"operationId":"listReportsKyvernoIoV1ClusterEphemeralReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.reports.v1.ClusterEphemeralReportList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"reports.kyverno.io","kind":"ClusterEphemeralReport","version":"v1"}},"post":{"description":"create a ClusterEphemeralReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["reportsKyvernoIo_v1"],"operationId":"createReportsKyvernoIoV1ClusterEphemeralReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.reports.v1.ClusterEphemeralReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.reports.v1.ClusterEphemeralReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.reports.v1.ClusterEphemeralReport"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.reports.v1.ClusterEphemeralReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"reports.kyverno.io","kind":"ClusterEphemeralReport","version":"v1"}},"delete":{"description":"delete collection of ClusterEphemeralReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["reportsKyvernoIo_v1"],"operationId":"deleteReportsKyvernoIoV1CollectionClusterEphemeralReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"reports.kyverno.io","kind":"ClusterEphemeralReport","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/reports.kyverno.io/v1/clusterephemeralreports/{name}":{"get":{"description":"read the specified ClusterEphemeralReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["reportsKyvernoIo_v1"],"operationId":"readReportsKyvernoIoV1ClusterEphemeralReport","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.reports.v1.ClusterEphemeralReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"reports.kyverno.io","kind":"ClusterEphemeralReport","version":"v1"}},"put":{"description":"replace the specified ClusterEphemeralReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["reportsKyvernoIo_v1"],"operationId":"replaceReportsKyvernoIoV1ClusterEphemeralReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.reports.v1.ClusterEphemeralReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.reports.v1.ClusterEphemeralReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.reports.v1.ClusterEphemeralReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"reports.kyverno.io","kind":"ClusterEphemeralReport","version":"v1"}},"delete":{"description":"delete a ClusterEphemeralReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["reportsKyvernoIo_v1"],"operationId":"deleteReportsKyvernoIoV1ClusterEphemeralReport","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"reports.kyverno.io","kind":"ClusterEphemeralReport","version":"v1"}},"patch":{"description":"partially update the specified ClusterEphemeralReport","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["reportsKyvernoIo_v1"],"operationId":"patchReportsKyvernoIoV1ClusterEphemeralReport","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.reports.v1.ClusterEphemeralReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"reports.kyverno.io","kind":"ClusterEphemeralReport","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ClusterEphemeralReport","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/reports.kyverno.io/v1/ephemeralreports":{"get":{"description":"list objects of kind EphemeralReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["reportsKyvernoIo_v1"],"operationId":"listReportsKyvernoIoV1EphemeralReportForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.reports.v1.EphemeralReportList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"reports.kyverno.io","kind":"EphemeralReport","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/reports.kyverno.io/v1/namespaces/{namespace}/ephemeralreports":{"get":{"description":"list objects of kind EphemeralReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["reportsKyvernoIo_v1"],"operationId":"listReportsKyvernoIoV1NamespacedEphemeralReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.reports.v1.EphemeralReportList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"reports.kyverno.io","kind":"EphemeralReport","version":"v1"}},"post":{"description":"create an EphemeralReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["reportsKyvernoIo_v1"],"operationId":"createReportsKyvernoIoV1NamespacedEphemeralReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.reports.v1.EphemeralReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.reports.v1.EphemeralReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.reports.v1.EphemeralReport"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.kyverno.reports.v1.EphemeralReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"reports.kyverno.io","kind":"EphemeralReport","version":"v1"}},"delete":{"description":"delete collection of EphemeralReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["reportsKyvernoIo_v1"],"operationId":"deleteReportsKyvernoIoV1CollectionNamespacedEphemeralReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"reports.kyverno.io","kind":"EphemeralReport","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/reports.kyverno.io/v1/namespaces/{namespace}/ephemeralreports/{name}":{"get":{"description":"read the specified EphemeralReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["reportsKyvernoIo_v1"],"operationId":"readReportsKyvernoIoV1NamespacedEphemeralReport","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.reports.v1.EphemeralReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"reports.kyverno.io","kind":"EphemeralReport","version":"v1"}},"put":{"description":"replace the specified EphemeralReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["reportsKyvernoIo_v1"],"operationId":"replaceReportsKyvernoIoV1NamespacedEphemeralReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.kyverno.reports.v1.EphemeralReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.reports.v1.EphemeralReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.kyverno.reports.v1.EphemeralReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"reports.kyverno.io","kind":"EphemeralReport","version":"v1"}},"delete":{"description":"delete an EphemeralReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["reportsKyvernoIo_v1"],"operationId":"deleteReportsKyvernoIoV1NamespacedEphemeralReport","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"reports.kyverno.io","kind":"EphemeralReport","version":"v1"}},"patch":{"description":"partially update the specified EphemeralReport","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["reportsKyvernoIo_v1"],"operationId":"patchReportsKyvernoIoV1NamespacedEphemeralReport","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.kyverno.reports.v1.EphemeralReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"reports.kyverno.io","kind":"EphemeralReport","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the EphemeralReport","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/scheduling.k8s.io/":{"get":{"description":"get information of a group","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["scheduling"],"operationId":"getSchedulingAPIGroup","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"}},"401":{"description":"Unauthorized"}}}},"/apis/scheduling.k8s.io/v1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["scheduling_v1"],"operationId":"getSchedulingV1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/scheduling.k8s.io/v1/priorityclasses":{"get":{"description":"list or watch objects of kind PriorityClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["scheduling_v1"],"operationId":"listSchedulingV1PriorityClass","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.scheduling.v1.PriorityClassList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"scheduling.k8s.io","kind":"PriorityClass","version":"v1"}},"post":{"description":"create a PriorityClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["scheduling_v1"],"operationId":"createSchedulingV1PriorityClass","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.scheduling.v1.PriorityClass"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.scheduling.v1.PriorityClass"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.scheduling.v1.PriorityClass"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.scheduling.v1.PriorityClass"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"scheduling.k8s.io","kind":"PriorityClass","version":"v1"}},"delete":{"description":"delete collection of PriorityClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["scheduling_v1"],"operationId":"deleteSchedulingV1CollectionPriorityClass","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"scheduling.k8s.io","kind":"PriorityClass","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/scheduling.k8s.io/v1/priorityclasses/{name}":{"get":{"description":"read the specified PriorityClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["scheduling_v1"],"operationId":"readSchedulingV1PriorityClass","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.scheduling.v1.PriorityClass"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"scheduling.k8s.io","kind":"PriorityClass","version":"v1"}},"put":{"description":"replace the specified PriorityClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["scheduling_v1"],"operationId":"replaceSchedulingV1PriorityClass","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.scheduling.v1.PriorityClass"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.scheduling.v1.PriorityClass"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.scheduling.v1.PriorityClass"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"scheduling.k8s.io","kind":"PriorityClass","version":"v1"}},"delete":{"description":"delete a PriorityClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["scheduling_v1"],"operationId":"deleteSchedulingV1PriorityClass","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"scheduling.k8s.io","kind":"PriorityClass","version":"v1"}},"patch":{"description":"partially update the specified PriorityClass","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["scheduling_v1"],"operationId":"patchSchedulingV1PriorityClass","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.scheduling.v1.PriorityClass"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.scheduling.v1.PriorityClass"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"scheduling.k8s.io","kind":"PriorityClass","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the PriorityClass","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/scheduling.k8s.io/v1/watch/priorityclasses":{"get":{"description":"watch individual changes to a list of PriorityClass. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["scheduling_v1"],"operationId":"watchSchedulingV1PriorityClassList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"scheduling.k8s.io","kind":"PriorityClass","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/scheduling.k8s.io/v1/watch/priorityclasses/{name}":{"get":{"description":"watch changes to an object of kind PriorityClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["scheduling_v1"],"operationId":"watchSchedulingV1PriorityClass","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"scheduling.k8s.io","kind":"PriorityClass","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the PriorityClass","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/storage.k8s.io/":{"get":{"description":"get information of a group","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage"],"operationId":"getStorageAPIGroup","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"}},"401":{"description":"Unauthorized"}}}},"/apis/storage.k8s.io/v1/":{"get":{"description":"get available resources","consumes":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"getStorageV1APIResources","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"}},"401":{"description":"Unauthorized"}}}},"/apis/storage.k8s.io/v1/csidrivers":{"get":{"description":"list or watch objects of kind CSIDriver","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["storage_v1"],"operationId":"listStorageV1CSIDriver","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIDriverList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSIDriver","version":"v1"}},"post":{"description":"create a CSIDriver","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"createStorageV1CSIDriver","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIDriver"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIDriver"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIDriver"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIDriver"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSIDriver","version":"v1"}},"delete":{"description":"delete collection of CSIDriver","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"deleteStorageV1CollectionCSIDriver","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSIDriver","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/storage.k8s.io/v1/csidrivers/{name}":{"get":{"description":"read the specified CSIDriver","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"readStorageV1CSIDriver","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIDriver"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSIDriver","version":"v1"}},"put":{"description":"replace the specified CSIDriver","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"replaceStorageV1CSIDriver","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIDriver"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIDriver"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIDriver"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSIDriver","version":"v1"}},"delete":{"description":"delete a CSIDriver","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"deleteStorageV1CSIDriver","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIDriver"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIDriver"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSIDriver","version":"v1"}},"patch":{"description":"partially update the specified CSIDriver","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"patchStorageV1CSIDriver","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIDriver"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIDriver"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSIDriver","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the CSIDriver","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/storage.k8s.io/v1/csinodes":{"get":{"description":"list or watch objects of kind CSINode","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["storage_v1"],"operationId":"listStorageV1CSINode","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSINodeList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSINode","version":"v1"}},"post":{"description":"create a CSINode","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"createStorageV1CSINode","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSINode"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSINode"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSINode"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSINode"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSINode","version":"v1"}},"delete":{"description":"delete collection of CSINode","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"deleteStorageV1CollectionCSINode","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSINode","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/storage.k8s.io/v1/csinodes/{name}":{"get":{"description":"read the specified CSINode","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"readStorageV1CSINode","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSINode"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSINode","version":"v1"}},"put":{"description":"replace the specified CSINode","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"replaceStorageV1CSINode","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSINode"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSINode"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSINode"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSINode","version":"v1"}},"delete":{"description":"delete a CSINode","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"deleteStorageV1CSINode","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSINode"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSINode"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSINode","version":"v1"}},"patch":{"description":"partially update the specified CSINode","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"patchStorageV1CSINode","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSINode"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSINode"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSINode","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the CSINode","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/storage.k8s.io/v1/csistoragecapacities":{"get":{"description":"list or watch objects of kind CSIStorageCapacity","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["storage_v1"],"operationId":"listStorageV1CSIStorageCapacityForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIStorageCapacityList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSIStorageCapacity","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/storage.k8s.io/v1/namespaces/{namespace}/csistoragecapacities":{"get":{"description":"list or watch objects of kind CSIStorageCapacity","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["storage_v1"],"operationId":"listStorageV1NamespacedCSIStorageCapacity","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIStorageCapacityList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSIStorageCapacity","version":"v1"}},"post":{"description":"create a CSIStorageCapacity","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"createStorageV1NamespacedCSIStorageCapacity","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSIStorageCapacity","version":"v1"}},"delete":{"description":"delete collection of CSIStorageCapacity","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"deleteStorageV1CollectionNamespacedCSIStorageCapacity","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSIStorageCapacity","version":"v1"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/storage.k8s.io/v1/namespaces/{namespace}/csistoragecapacities/{name}":{"get":{"description":"read the specified CSIStorageCapacity","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"readStorageV1NamespacedCSIStorageCapacity","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSIStorageCapacity","version":"v1"}},"put":{"description":"replace the specified CSIStorageCapacity","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"replaceStorageV1NamespacedCSIStorageCapacity","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSIStorageCapacity","version":"v1"}},"delete":{"description":"delete a CSIStorageCapacity","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"deleteStorageV1NamespacedCSIStorageCapacity","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSIStorageCapacity","version":"v1"}},"patch":{"description":"partially update the specified CSIStorageCapacity","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"patchStorageV1NamespacedCSIStorageCapacity","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSIStorageCapacity","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the CSIStorageCapacity","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/storage.k8s.io/v1/storageclasses":{"get":{"description":"list or watch objects of kind StorageClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["storage_v1"],"operationId":"listStorageV1StorageClass","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.StorageClassList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"StorageClass","version":"v1"}},"post":{"description":"create a StorageClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"createStorageV1StorageClass","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.StorageClass"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.StorageClass"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.StorageClass"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.StorageClass"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"StorageClass","version":"v1"}},"delete":{"description":"delete collection of StorageClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"deleteStorageV1CollectionStorageClass","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"StorageClass","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/storage.k8s.io/v1/storageclasses/{name}":{"get":{"description":"read the specified StorageClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"readStorageV1StorageClass","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.StorageClass"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"StorageClass","version":"v1"}},"put":{"description":"replace the specified StorageClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"replaceStorageV1StorageClass","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.StorageClass"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.StorageClass"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.StorageClass"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"StorageClass","version":"v1"}},"delete":{"description":"delete a StorageClass","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"deleteStorageV1StorageClass","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.StorageClass"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.StorageClass"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"StorageClass","version":"v1"}},"patch":{"description":"partially update the specified StorageClass","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"patchStorageV1StorageClass","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.StorageClass"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.StorageClass"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"StorageClass","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the StorageClass","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/storage.k8s.io/v1/volumeattachments":{"get":{"description":"list or watch objects of kind VolumeAttachment","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["storage_v1"],"operationId":"listStorageV1VolumeAttachment","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachmentList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"VolumeAttachment","version":"v1"}},"post":{"description":"create a VolumeAttachment","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"createStorageV1VolumeAttachment","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachment"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachment"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachment"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachment"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"VolumeAttachment","version":"v1"}},"delete":{"description":"delete collection of VolumeAttachment","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"deleteStorageV1CollectionVolumeAttachment","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"$ref":"#/parameters/continue-QfD61s0i"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"VolumeAttachment","version":"v1"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/storage.k8s.io/v1/volumeattachments/{name}":{"get":{"description":"read the specified VolumeAttachment","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"readStorageV1VolumeAttachment","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachment"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"VolumeAttachment","version":"v1"}},"put":{"description":"replace the specified VolumeAttachment","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"replaceStorageV1VolumeAttachment","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachment"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachment"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachment"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"VolumeAttachment","version":"v1"}},"delete":{"description":"delete a VolumeAttachment","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"deleteStorageV1VolumeAttachment","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachment"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachment"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"VolumeAttachment","version":"v1"}},"patch":{"description":"partially update the specified VolumeAttachment","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"patchStorageV1VolumeAttachment","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachment"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachment"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"VolumeAttachment","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the VolumeAttachment","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/storage.k8s.io/v1/volumeattachments/{name}/status":{"get":{"description":"read status of the specified VolumeAttachment","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"readStorageV1VolumeAttachmentStatus","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachment"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"VolumeAttachment","version":"v1"}},"put":{"description":"replace status of the specified VolumeAttachment","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"replaceStorageV1VolumeAttachmentStatus","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachment"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachment"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachment"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"VolumeAttachment","version":"v1"}},"patch":{"description":"partially update status of the specified VolumeAttachment","consumes":["application/json-patch+json","application/merge-patch+json","application/strategic-merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf"],"schemes":["https"],"tags":["storage_v1"],"operationId":"patchStorageV1VolumeAttachmentStatus","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachment"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachment"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"VolumeAttachment","version":"v1"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the VolumeAttachment","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/storage.k8s.io/v1/watch/csidrivers":{"get":{"description":"watch individual changes to a list of CSIDriver. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["storage_v1"],"operationId":"watchStorageV1CSIDriverList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSIDriver","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/storage.k8s.io/v1/watch/csidrivers/{name}":{"get":{"description":"watch changes to an object of kind CSIDriver. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["storage_v1"],"operationId":"watchStorageV1CSIDriver","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSIDriver","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the CSIDriver","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/storage.k8s.io/v1/watch/csinodes":{"get":{"description":"watch individual changes to a list of CSINode. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["storage_v1"],"operationId":"watchStorageV1CSINodeList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSINode","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/storage.k8s.io/v1/watch/csinodes/{name}":{"get":{"description":"watch changes to an object of kind CSINode. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["storage_v1"],"operationId":"watchStorageV1CSINode","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSINode","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the CSINode","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/storage.k8s.io/v1/watch/csistoragecapacities":{"get":{"description":"watch individual changes to a list of CSIStorageCapacity. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["storage_v1"],"operationId":"watchStorageV1CSIStorageCapacityListForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSIStorageCapacity","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/storage.k8s.io/v1/watch/namespaces/{namespace}/csistoragecapacities":{"get":{"description":"watch individual changes to a list of CSIStorageCapacity. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["storage_v1"],"operationId":"watchStorageV1NamespacedCSIStorageCapacityList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSIStorageCapacity","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/storage.k8s.io/v1/watch/namespaces/{namespace}/csistoragecapacities/{name}":{"get":{"description":"watch changes to an object of kind CSIStorageCapacity. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["storage_v1"],"operationId":"watchStorageV1NamespacedCSIStorageCapacity","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"CSIStorageCapacity","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the CSIStorageCapacity","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/storage.k8s.io/v1/watch/storageclasses":{"get":{"description":"watch individual changes to a list of StorageClass. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["storage_v1"],"operationId":"watchStorageV1StorageClassList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"StorageClass","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/storage.k8s.io/v1/watch/storageclasses/{name}":{"get":{"description":"watch changes to an object of kind StorageClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["storage_v1"],"operationId":"watchStorageV1StorageClass","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"StorageClass","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the StorageClass","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/storage.k8s.io/v1/watch/volumeattachments":{"get":{"description":"watch individual changes to a list of VolumeAttachment. deprecated: use the 'watch' parameter with a list operation instead.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["storage_v1"],"operationId":"watchStorageV1VolumeAttachmentList","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watchlist","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"VolumeAttachment","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/storage.k8s.io/v1/watch/volumeattachments/{name}":{"get":{"description":"watch changes to an object of kind VolumeAttachment. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.","consumes":["*/*"],"produces":["application/json","application/yaml","application/vnd.kubernetes.protobuf","application/json;stream=watch","application/vnd.kubernetes.protobuf;stream=watch"],"schemes":["https"],"tags":["storage_v1"],"operationId":"watchStorageV1VolumeAttachment","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"watch","x-kubernetes-group-version-kind":{"group":"storage.k8s.io","kind":"VolumeAttachment","version":"v1"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"uniqueItems":true,"type":"string","description":"name of the VolumeAttachment","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/apis/wgpolicyk8s.io/v1alpha2/clusterpolicyreports":{"get":{"description":"list objects of kind ClusterPolicyReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["wgpolicyk8sIo_v1alpha2"],"operationId":"listWgpolicyk8sIoV1alpha2ClusterPolicyReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.ClusterPolicyReportList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"wgpolicyk8s.io","kind":"ClusterPolicyReport","version":"v1alpha2"}},"post":{"description":"create a ClusterPolicyReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["wgpolicyk8sIo_v1alpha2"],"operationId":"createWgpolicyk8sIoV1alpha2ClusterPolicyReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.ClusterPolicyReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.ClusterPolicyReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.ClusterPolicyReport"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.ClusterPolicyReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"wgpolicyk8s.io","kind":"ClusterPolicyReport","version":"v1alpha2"}},"delete":{"description":"delete collection of ClusterPolicyReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["wgpolicyk8sIo_v1alpha2"],"operationId":"deleteWgpolicyk8sIoV1alpha2CollectionClusterPolicyReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"wgpolicyk8s.io","kind":"ClusterPolicyReport","version":"v1alpha2"}},"parameters":[{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/wgpolicyk8s.io/v1alpha2/clusterpolicyreports/{name}":{"get":{"description":"read the specified ClusterPolicyReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["wgpolicyk8sIo_v1alpha2"],"operationId":"readWgpolicyk8sIoV1alpha2ClusterPolicyReport","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.ClusterPolicyReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"wgpolicyk8s.io","kind":"ClusterPolicyReport","version":"v1alpha2"}},"put":{"description":"replace the specified ClusterPolicyReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["wgpolicyk8sIo_v1alpha2"],"operationId":"replaceWgpolicyk8sIoV1alpha2ClusterPolicyReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.ClusterPolicyReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.ClusterPolicyReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.ClusterPolicyReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"wgpolicyk8s.io","kind":"ClusterPolicyReport","version":"v1alpha2"}},"delete":{"description":"delete a ClusterPolicyReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["wgpolicyk8sIo_v1alpha2"],"operationId":"deleteWgpolicyk8sIoV1alpha2ClusterPolicyReport","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"wgpolicyk8s.io","kind":"ClusterPolicyReport","version":"v1alpha2"}},"patch":{"description":"partially update the specified ClusterPolicyReport","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["wgpolicyk8sIo_v1alpha2"],"operationId":"patchWgpolicyk8sIoV1alpha2ClusterPolicyReport","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.ClusterPolicyReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"wgpolicyk8s.io","kind":"ClusterPolicyReport","version":"v1alpha2"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the ClusterPolicyReport","name":"name","in":"path","required":true},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/wgpolicyk8s.io/v1alpha2/namespaces/{namespace}/policyreports":{"get":{"description":"list objects of kind PolicyReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["wgpolicyk8sIo_v1alpha2"],"operationId":"listWgpolicyk8sIoV1alpha2NamespacedPolicyReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.PolicyReportList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"wgpolicyk8s.io","kind":"PolicyReport","version":"v1alpha2"}},"post":{"description":"create a PolicyReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["wgpolicyk8sIo_v1alpha2"],"operationId":"createWgpolicyk8sIoV1alpha2NamespacedPolicyReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.PolicyReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.PolicyReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.PolicyReport"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.PolicyReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"post","x-kubernetes-group-version-kind":{"group":"wgpolicyk8s.io","kind":"PolicyReport","version":"v1alpha2"}},"delete":{"description":"delete collection of PolicyReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["wgpolicyk8sIo_v1alpha2"],"operationId":"deleteWgpolicyk8sIoV1alpha2CollectionNamespacedPolicyReport","parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"deletecollection","x-kubernetes-group-version-kind":{"group":"wgpolicyk8s.io","kind":"PolicyReport","version":"v1alpha2"}},"parameters":[{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/wgpolicyk8s.io/v1alpha2/namespaces/{namespace}/policyreports/{name}":{"get":{"description":"read the specified PolicyReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["wgpolicyk8sIo_v1alpha2"],"operationId":"readWgpolicyk8sIoV1alpha2NamespacedPolicyReport","parameters":[{"$ref":"#/parameters/resourceVersion-5WAnf1kx"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.PolicyReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"get","x-kubernetes-group-version-kind":{"group":"wgpolicyk8s.io","kind":"PolicyReport","version":"v1alpha2"}},"put":{"description":"replace the specified PolicyReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["wgpolicyk8sIo_v1alpha2"],"operationId":"replaceWgpolicyk8sIoV1alpha2NamespacedPolicyReport","parameters":[{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.PolicyReport"}},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-Qy4HdaTW"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.PolicyReport"}},"201":{"description":"Created","schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.PolicyReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"put","x-kubernetes-group-version-kind":{"group":"wgpolicyk8s.io","kind":"PolicyReport","version":"v1alpha2"}},"delete":{"description":"delete a PolicyReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["wgpolicyk8sIo_v1alpha2"],"operationId":"deleteWgpolicyk8sIoV1alpha2NamespacedPolicyReport","parameters":[{"$ref":"#/parameters/body-2Y1dVQaQ"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/gracePeriodSeconds--K5HaBOS"},{"$ref":"#/parameters/orphanDependents-uRB25kX5"},{"$ref":"#/parameters/propagationPolicy-6jk3prlO"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"202":{"description":"Accepted","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"delete","x-kubernetes-group-version-kind":{"group":"wgpolicyk8s.io","kind":"PolicyReport","version":"v1alpha2"}},"patch":{"description":"partially update the specified PolicyReport","consumes":["application/json-patch+json","application/merge-patch+json","application/apply-patch+yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["wgpolicyk8sIo_v1alpha2"],"operationId":"patchWgpolicyk8sIoV1alpha2NamespacedPolicyReport","parameters":[{"$ref":"#/parameters/body-78PwaGsr"},{"uniqueItems":true,"type":"string","description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","name":"dryRun","in":"query"},{"$ref":"#/parameters/fieldManager-7c6nTn1T"},{"uniqueItems":true,"type":"string","description":"fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.","name":"fieldValidation","in":"query"},{"$ref":"#/parameters/force-tOGGb0Yi"}],"responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.PolicyReport"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"patch","x-kubernetes-group-version-kind":{"group":"wgpolicyk8s.io","kind":"PolicyReport","version":"v1alpha2"}},"parameters":[{"uniqueItems":true,"type":"string","description":"name of the PolicyReport","name":"name","in":"path","required":true},{"$ref":"#/parameters/namespace-vgWSWtn3"},{"$ref":"#/parameters/pretty-tJGM1-ng"}]},"/apis/wgpolicyk8s.io/v1alpha2/policyreports":{"get":{"description":"list objects of kind PolicyReport","consumes":["application/json","application/yaml"],"produces":["application/json","application/yaml"],"schemes":["https"],"tags":["wgpolicyk8sIo_v1alpha2"],"operationId":"listWgpolicyk8sIoV1alpha2PolicyReportForAllNamespaces","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.PolicyReportList"}},"401":{"description":"Unauthorized"}},"x-kubernetes-action":"list","x-kubernetes-group-version-kind":{"group":"wgpolicyk8s.io","kind":"PolicyReport","version":"v1alpha2"}},"parameters":[{"$ref":"#/parameters/allowWatchBookmarks-HC2hJt-J"},{"$ref":"#/parameters/continue-QfD61s0i"},{"$ref":"#/parameters/fieldSelector-xIcQKXFG"},{"$ref":"#/parameters/labelSelector-5Zw57w4C"},{"$ref":"#/parameters/limit-1NfNmdNH"},{"$ref":"#/parameters/pretty-tJGM1-ng"},{"$ref":"#/parameters/resourceVersion-5WAnf1kx"},{"$ref":"#/parameters/resourceVersionMatch-t8XhRHeC"},{"$ref":"#/parameters/sendInitialEvents-rLXlEK_k"},{"$ref":"#/parameters/timeoutSeconds-yvYezaOC"},{"$ref":"#/parameters/watch-XNNPZGbK"}]},"/logs/":{"get":{"schemes":["https"],"tags":["logs"],"operationId":"logFileListHandler","responses":{"401":{"description":"Unauthorized"}}}},"/logs/{logpath}":{"get":{"schemes":["https"],"tags":["logs"],"operationId":"logFileHandler","responses":{"401":{"description":"Unauthorized"}}},"parameters":[{"$ref":"#/parameters/logpath-Noq7euwC"}]},"/openid/v1/jwks/":{"get":{"description":"get service account issuer OpenID JSON Web Key Set (contains public token verification keys)","produces":["application/jwk-set+json"],"schemes":["https"],"tags":["openid"],"operationId":"getServiceAccountIssuerOpenIDKeyset","responses":{"200":{"description":"OK","schema":{"type":"string"}},"401":{"description":"Unauthorized"}}}},"/version/":{"get":{"description":"get the code version","consumes":["application/json"],"produces":["application/json"],"schemes":["https"],"tags":["version"],"operationId":"getCodeVersion","responses":{"200":{"description":"OK","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.version.Info"}},"401":{"description":"Unauthorized"}}}}},"definitions":{"io.k8s.api.admissionregistration.v1.AuditAnnotation":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"io.k8s.api.admissionregistration.v1.ExpressionWarning":{"description":"ExpressionWarning is a warning information that targets a specific expression.","type":"object","required":["fieldRef","warning"],"properties":{"fieldRef":{"description":"The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"","type":"string"},"warning":{"description":"The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.","type":"string"}}},"io.k8s.api.admissionregistration.v1.MatchCondition":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["name","expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"io.k8s.api.admissionregistration.v1.MatchResources":{"description":"MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.NamedRuleWithOperations"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"\n\nPossible enum values:\n - `\"Equivalent\"` means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version.\n - `\"Exact\"` means requests should only be sent to the webhook if they exactly match a given rule.","type":"string","enum":["Equivalent","Exact"]},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"runlevel\",\n \"operator\": \"NotIn\",\n \"values\": [\n \"0\",\n \"1\"\n ]\n }\n ]\n}\n\nIf instead you want to only run the policy on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"environment\",\n \"operator\": \"In\",\n \"values\": [\n \"prod\",\n \"staging\"\n ]\n }\n ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the cel validation, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.NamedRuleWithOperations"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.admissionregistration.v1.MutatingWebhook":{"description":"MutatingWebhook describes an admission webhook and the resources and operations it applies to.","type":"object","required":["name","clientConfig","sideEffects","admissionReviewVersions"],"properties":{"admissionReviewVersions":{"description":"AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"clientConfig":{"description":"ClientConfig defines how to communicate with the hook. Required","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.WebhookClientConfig"},"failurePolicy":{"description":"FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.\n\nPossible enum values:\n - `\"Fail\"` means that an error calling the webhook causes the admission to fail.\n - `\"Ignore\"` means that an error calling the webhook is ignored.","type":"string","enum":["Fail","Ignore"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the webhook is called.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the error is ignored and the webhook is skipped","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MatchCondition"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"matchPolicy":{"description":"matchPolicy defines how the \"rules\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.\n\nDefaults to \"Equivalent\"\n\nPossible enum values:\n - `\"Equivalent\"` means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version.\n - `\"Exact\"` means requests should only be sent to the webhook if they exactly match a given rule.","type":"string","enum":["Equivalent","Exact"]},"name":{"description":"The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where \"imagepolicy\" is the name of the webhook, and kubernetes.io is the name of the organization. Required.","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"runlevel\",\n \"operator\": \"NotIn\",\n \"values\": [\n \"0\",\n \"1\"\n ]\n }\n ]\n}\n\nIf instead you want to only run the webhook on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"environment\",\n \"operator\": \"In\",\n \"values\": [\n \"prod\",\n \"staging\"\n ]\n }\n ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"objectSelector":{"description":"ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"reinvocationPolicy":{"description":"reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: the webhook will not be called more than once in a single admission evaluation.\n\nIfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. * webhooks that use this option may be reordered to minimize the number of additional invocations. * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.\n\nDefaults to \"Never\".\n\nPossible enum values:\n - `\"IfNeeded\"` indicates that the webhook may be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call.\n - `\"Never\"` indicates that the webhook must not be called more than once in a single admission evaluation.","type":"string","enum":["IfNeeded","Never"]},"rules":{"description":"Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.RuleWithOperations"},"x-kubernetes-list-type":"atomic"},"sideEffects":{"description":"SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.\n\nPossible enum values:\n - `\"None\"` means that calling the webhook will have no side effects.\n - `\"NoneOnDryRun\"` means that calling the webhook will possibly have side effects, but if the request being reviewed has the dry-run attribute, the side effects will be suppressed.\n - `\"Some\"` means that calling the webhook will possibly have side effects. If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.\n - `\"Unknown\"` means that no information is known about the side effects of calling the webhook. If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.","type":"string","enum":["None","NoneOnDryRun","Some","Unknown"]},"timeoutSeconds":{"description":"TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.","type":"integer","format":"int32"}}},"io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration":{"description":"MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"webhooks":{"description":"Webhooks is a list of webhooks and the affected resources and operations.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhook"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"}},"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"MutatingWebhookConfiguration","version":"v1"}]},"io.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationList":{"description":"MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of MutatingWebhookConfiguration.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"MutatingWebhookConfigurationList","version":"v1"}]},"io.k8s.api.admissionregistration.v1.NamedRuleWithOperations":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.","type":"array","items":{"type":"string","enum":["*","CONNECT","CREATE","DELETE","UPDATE"]},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.admissionregistration.v1.ParamKind":{"description":"ParamKind is a tuple of Group Kind and Version.","type":"object","properties":{"apiVersion":{"description":"APIVersion is the API group version the resources belong to. In format of \"group/version\". Required.","type":"string"},"kind":{"description":"Kind is the API kind the resources belong to. Required.","type":"string"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.admissionregistration.v1.ParamRef":{"description":"ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.","type":"object","properties":{"name":{"description":"name is the name of the resource being referenced.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.\n\nA single parameter used for all admission requests can be configured by setting the `name` field, leaving `selector` blank, and setting namespace if `paramKind` is namespace-scoped.","type":"string"},"namespace":{"description":"namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.","type":"string"},"parameterNotFoundAction":{"description":"`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny`\n\nRequired","type":"string"},"selector":{"description":"selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.admissionregistration.v1.RuleWithOperations":{"description":"RuleWithOperations is a tuple of Operations and Resources. It is recommended to make sure that all the tuple expansions are valid.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.","type":"array","items":{"type":"string","enum":["*","CONNECT","CREATE","DELETE","UPDATE"]},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".","type":"string"}}},"io.k8s.api.admissionregistration.v1.ServiceReference":{"description":"ServiceReference holds a reference to Service.legacy.k8s.io","type":"object","required":["namespace","name"],"properties":{"name":{"description":"`name` is the name of the service. Required","type":"string"},"namespace":{"description":"`namespace` is the namespace of the service. Required","type":"string"},"path":{"description":"`path` is an optional URL path which will be sent in any request to this service.","type":"string"},"port":{"description":"If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).","type":"integer","format":"int32"}}},"io.k8s.api.admissionregistration.v1.TypeChecking":{"description":"TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy","type":"object","properties":{"expressionWarnings":{"description":"The type checking warnings for each expression.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ExpressionWarning"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy":{"description":"ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired behavior of the ValidatingAdmissionPolicy.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicySpec"},"status":{"description":"The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy behaves in the expected way. Populated by the system. Read-only.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyStatus"}},"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1"}]},"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding":{"description":"ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding.\n\nThe CEL expressions of a policy must have a computed CEL cost below the maximum CEL budget. Each evaluation of the policy is given an independent CEL cost budget. Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired behavior of the ValidatingAdmissionPolicyBinding.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBindingSpec"}},"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1"}]},"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBindingList":{"description":"ValidatingAdmissionPolicyBindingList is a list of ValidatingAdmissionPolicyBinding.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of PolicyBinding.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBindingList","version":"v1"}]},"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBindingSpec":{"description":"ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.","type":"object","properties":{"matchResources":{"description":"MatchResources declares what resources match this binding and will be validated by it. Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this. If this is unset, all resources matched by the policy are validated by this binding When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated. Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MatchResources"},"paramRef":{"description":"paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ParamRef"},"policyName":{"description":"PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.","type":"string"},"validationActions":{"description":"validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. If a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according to these actions only if the FailurePolicy is set to Fail, otherwise the failures are ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does not matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client in HTTP Warning headers, with a warning code of 299. Warnings can be sent both for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is included in the published audit event for the request. The audit event will contain a `validation.policy.admission.k8s.io/validation_failure` audit annotation with a value containing the details of the validation failures, formatted as a JSON list of objects, each with the following fields: - message: The validation failure message string - policy: The resource name of the ValidatingAdmissionPolicy - binding: The resource name of the ValidatingAdmissionPolicyBinding - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: `\"validation.policy.admission.k8s.io/validation_failure\": \"[{\"message\": \"Invalid value\", {\"policy\": \"policy.example.com\", {\"binding\": \"policybinding.example.com\", {\"expressionIndex\": \"1\", {\"validationActions\": [\"Audit\"]}]\"`\n\nClients should expect to handle additional values by ignoring any values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination needlessly duplicates the validation failure both in the API response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"type":"string","enum":["Audit","Deny","Warn"]},"x-kubernetes-list-type":"set"}}},"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyList":{"description":"ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of ValidatingAdmissionPolicy.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyList","version":"v1"}]},"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicySpec":{"description":"ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.","type":"object","properties":{"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.AuditAnnotation"},"x-kubernetes-list-type":"atomic"},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.\n\nPossible enum values:\n - `\"Fail\"` means that an error calling the webhook causes the admission to fail.\n - `\"Ignore\"` means that an error calling the webhook is ignored.","type":"string","enum":["Fail","Ignore"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MatchCondition"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. Required.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MatchResources"},"paramKind":{"description":"ParamKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ParamKind"},"validations":{"description":"Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.Validation"},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.Variable"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"}}},"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyStatus":{"description":"ValidatingAdmissionPolicyStatus represents the status of an admission validation policy.","type":"object","properties":{"conditions":{"description":"The conditions represent the latest available observations of a policy's current state.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"observedGeneration":{"description":"The generation observed by the controller.","type":"integer","format":"int64"},"typeChecking":{"description":"The results of type checking for each expression. Presence of this field indicates the completion of the type checking.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.TypeChecking"}}},"io.k8s.api.admissionregistration.v1.ValidatingWebhook":{"description":"ValidatingWebhook describes an admission webhook and the resources and operations it applies to.","type":"object","required":["name","clientConfig","sideEffects","admissionReviewVersions"],"properties":{"admissionReviewVersions":{"description":"AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"clientConfig":{"description":"ClientConfig defines how to communicate with the hook. Required","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.WebhookClientConfig"},"failurePolicy":{"description":"FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.\n\nPossible enum values:\n - `\"Fail\"` means that an error calling the webhook causes the admission to fail.\n - `\"Ignore\"` means that an error calling the webhook is ignored.","type":"string","enum":["Fail","Ignore"]},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the webhook is called.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the error is ignored and the webhook is skipped","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MatchCondition"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"matchPolicy":{"description":"matchPolicy defines how the \"rules\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.\n\nDefaults to \"Equivalent\"\n\nPossible enum values:\n - `\"Equivalent\"` means requests should be sent to the webhook if they modify a resource listed in rules via another API group or version.\n - `\"Exact\"` means requests should only be sent to the webhook if they exactly match a given rule.","type":"string","enum":["Equivalent","Exact"]},"name":{"description":"The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where \"imagepolicy\" is the name of the webhook, and kubernetes.io is the name of the organization. Required.","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"runlevel\",\n \"operator\": \"NotIn\",\n \"values\": [\n \"0\",\n \"1\"\n ]\n }\n ]\n}\n\nIf instead you want to only run the webhook on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"environment\",\n \"operator\": \"In\",\n \"values\": [\n \"prod\",\n \"staging\"\n ]\n }\n ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"objectSelector":{"description":"ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"rules":{"description":"Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.RuleWithOperations"},"x-kubernetes-list-type":"atomic"},"sideEffects":{"description":"SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.\n\nPossible enum values:\n - `\"None\"` means that calling the webhook will have no side effects.\n - `\"NoneOnDryRun\"` means that calling the webhook will possibly have side effects, but if the request being reviewed has the dry-run attribute, the side effects will be suppressed.\n - `\"Some\"` means that calling the webhook will possibly have side effects. If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.\n - `\"Unknown\"` means that no information is known about the side effects of calling the webhook. If a request with the dry-run attribute would trigger a call to this webhook, the request will instead fail.","type":"string","enum":["None","NoneOnDryRun","Some","Unknown"]},"timeoutSeconds":{"description":"TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.","type":"integer","format":"int32"}}},"io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration":{"description":"ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"webhooks":{"description":"Webhooks is a list of webhooks and the affected resources and operations.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhook"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"}},"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"ValidatingWebhookConfiguration","version":"v1"}]},"io.k8s.api.admissionregistration.v1.ValidatingWebhookConfigurationList":{"description":"ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of ValidatingWebhookConfiguration.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"ValidatingWebhookConfigurationList","version":"v1"}]},"io.k8s.api.admissionregistration.v1.Validation":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"io.k8s.api.admissionregistration.v1.Variable":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["name","expression"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.admissionregistration.v1.WebhookClientConfig":{"description":"WebhookClientConfig contains the information to make a TLS connection with the webhook","type":"object","properties":{"caBundle":{"description":"`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.","type":"string","format":"byte"},"service":{"description":"`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ServiceReference"},"url":{"description":"`url` gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nThe scheme must be \"https\"; the URL must begin with \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.\n\nAttempting to use a user or basic auth e.g. \"user:password@\" is not allowed. Fragments (\"#...\") and query parameters (\"?...\") are not allowed, either.","type":"string"}}},"io.k8s.api.admissionregistration.v1beta1.AuditAnnotation":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.","type":"string"}}},"io.k8s.api.admissionregistration.v1beta1.ExpressionWarning":{"description":"ExpressionWarning is a warning information that targets a specific expression.","type":"object","required":["fieldRef","warning"],"properties":{"fieldRef":{"description":"The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"","type":"string"},"warning":{"description":"The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.","type":"string"}}},"io.k8s.api.admissionregistration.v1beta1.MatchCondition":{"description":"MatchCondition represents a condition which must be fulfilled for a request to be sent to a webhook.","type":"object","required":["name","expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.","type":"string"}}},"io.k8s.api.admissionregistration.v1beta1.MatchResources":{"description":"MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"object","properties":{"excludeResourceRules":{"description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.NamedRuleWithOperations"},"x-kubernetes-list-type":"atomic"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"description":"NamespaceSelector decides whether to run the admission control policy on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"runlevel\",\n \"operator\": \"NotIn\",\n \"values\": [\n \"0\",\n \"1\"\n ]\n }\n ]\n}\n\nIf instead you want to only run the policy on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"environment\",\n \"operator\": \"In\",\n \"values\": [\n \"prod\",\n \"staging\"\n ]\n }\n ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the cel validation, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"resourceRules":{"description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.NamedRuleWithOperations"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.admissionregistration.v1beta1.NamedRuleWithOperations":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","type":"object","properties":{"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"apiVersions":{"description":"APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.","type":"array","items":{"type":"string","enum":["*","CONNECT","CREATE","DELETE","UPDATE"]},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"scope":{"description":"scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".","type":"string"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.admissionregistration.v1beta1.ParamKind":{"description":"ParamKind is a tuple of Group Kind and Version.","type":"object","properties":{"apiVersion":{"description":"APIVersion is the API group version the resources belong to. In format of \"group/version\". Required.","type":"string"},"kind":{"description":"Kind is the API kind the resources belong to. Required.","type":"string"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.admissionregistration.v1beta1.ParamRef":{"description":"ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.","type":"object","properties":{"name":{"description":"name is the name of the resource being referenced.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.\n\nA single parameter used for all admission requests can be configured by setting the `name` field, leaving `selector` blank, and setting namespace if `paramKind` is namespace-scoped.","type":"string"},"namespace":{"description":"namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.","type":"string"},"parameterNotFoundAction":{"description":"`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny`\n\nRequired","type":"string"},"selector":{"description":"selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.admissionregistration.v1beta1.TypeChecking":{"description":"TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy","type":"object","properties":{"expressionWarnings":{"description":"The type checking warnings for each expression.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ExpressionWarning"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy":{"description":"ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired behavior of the ValidatingAdmissionPolicy.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicySpec"},"status":{"description":"The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy behaves in the expected way. Populated by the system. Read-only.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyStatus"}},"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicy","version":"v1beta1"}]},"io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBinding":{"description":"ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding.\n\nThe CEL expressions of a policy must have a computed CEL cost below the maximum CEL budget. Each evaluation of the policy is given an independent CEL cost budget. Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired behavior of the ValidatingAdmissionPolicyBinding.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBindingSpec"}},"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBinding","version":"v1beta1"}]},"io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBindingList":{"description":"ValidatingAdmissionPolicyBindingList is a list of ValidatingAdmissionPolicyBinding.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of PolicyBinding.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBinding"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBindingList","version":"v1beta1"}]},"io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBindingSpec":{"description":"ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.","type":"object","properties":{"matchResources":{"description":"MatchResources declares what resources match this binding and will be validated by it. Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this. If this is unset, all resources matched by the policy are validated by this binding When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated. Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.MatchResources"},"paramRef":{"description":"paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ParamRef"},"policyName":{"description":"PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.","type":"string"},"validationActions":{"description":"validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. If a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according to these actions only if the FailurePolicy is set to Fail, otherwise the failures are ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does not matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client in HTTP Warning headers, with a warning code of 299. Warnings can be sent both for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is included in the published audit event for the request. The audit event will contain a `validation.policy.admission.k8s.io/validation_failure` audit annotation with a value containing the details of the validation failures, formatted as a JSON list of objects, each with the following fields: - message: The validation failure message string - policy: The resource name of the ValidatingAdmissionPolicy - binding: The resource name of the ValidatingAdmissionPolicyBinding - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: `\"validation.policy.admission.k8s.io/validation_failure\": \"[{\"message\": \"Invalid value\", {\"policy\": \"policy.example.com\", {\"binding\": \"policybinding.example.com\", {\"expressionIndex\": \"1\", {\"validationActions\": [\"Audit\"]}]\"`\n\nClients should expect to handle additional values by ignoring any values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination needlessly duplicates the validation failure both in the API response body and the HTTP warning headers.\n\nRequired.","type":"array","items":{"type":"string","enum":["Audit","Deny","Warn"]},"x-kubernetes-list-type":"set"}}},"io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyList":{"description":"ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of ValidatingAdmissionPolicy.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyList","version":"v1beta1"}]},"io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicySpec":{"description":"ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.","type":"object","properties":{"auditAnnotations":{"description":"auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.AuditAnnotation"},"x-kubernetes-list-type":"atomic"},"failurePolicy":{"description":"failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string"},"matchConditions":{"description":"MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.MatchCondition"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"matchConstraints":{"description":"MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. Required.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.MatchResources"},"paramKind":{"description":"ParamKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ParamKind"},"validations":{"description":"Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.Validation"},"x-kubernetes-list-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.Variable"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"}}},"io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyStatus":{"description":"ValidatingAdmissionPolicyStatus represents the status of an admission validation policy.","type":"object","properties":{"conditions":{"description":"The conditions represent the latest available observations of a policy's current state.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"observedGeneration":{"description":"The generation observed by the controller.","type":"integer","format":"int64"},"typeChecking":{"description":"The results of type checking for each expression. Presence of this field indicates the completion of the type checking.","$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.TypeChecking"}}},"io.k8s.api.admissionregistration.v1beta1.Validation":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"io.k8s.api.admissionregistration.v1beta1.Variable":{"description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.","type":"object","required":["name","expression"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.apps.v1.ControllerRevision":{"description":"ControllerRevision implements an immutable snapshot of state data. Clients are responsible for serializing and deserializing the objects that contain their internal state. Once a ControllerRevision has been successfully created, it can not be updated. The API Server will fail validation of all requests that attempt to mutate the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However, it may be subject to name and representation changes in future releases, and clients should not depend on its stability. It is primarily for internal use by controllers.","type":"object","required":["revision"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"data":{"description":"Data is the serialized representation of the state.","$ref":"#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"revision":{"description":"Revision indicates the revision of the state represented by Data.","type":"integer","format":"int64"}},"x-kubernetes-group-version-kind":[{"group":"apps","kind":"ControllerRevision","version":"v1"}]},"io.k8s.api.apps.v1.ControllerRevisionList":{"description":"ControllerRevisionList is a resource containing a list of ControllerRevision objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of ControllerRevisions","type":"array","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.ControllerRevision"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"apps","kind":"ControllerRevisionList","version":"v1"}]},"io.k8s.api.apps.v1.DaemonSet":{"description":"DaemonSet represents the configuration of a daemon set.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"The desired behavior of this daemon set. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSetSpec"},"status":{"description":"The current status of this daemon set. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSetStatus"}},"x-kubernetes-group-version-kind":[{"group":"apps","kind":"DaemonSet","version":"v1"}]},"io.k8s.api.apps.v1.DaemonSetCondition":{"description":"DaemonSetCondition describes the state of a DaemonSet at a certain point.","type":"object","required":["type","status"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type of DaemonSet condition.","type":"string"}}},"io.k8s.api.apps.v1.DaemonSetList":{"description":"DaemonSetList is a collection of daemon sets.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"A list of daemon sets.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSet"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"apps","kind":"DaemonSetList","version":"v1"}]},"io.k8s.api.apps.v1.DaemonSetSpec":{"description":"DaemonSetSpec is the specification of a daemon set.","type":"object","required":["selector","template"],"properties":{"minReadySeconds":{"description":"The minimum number of seconds for which a newly created DaemonSet pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready).","type":"integer","format":"int32"},"revisionHistoryLimit":{"description":"The number of old history to retain to allow rollback. This is a pointer to distinguish between explicit zero and not specified. Defaults to 10.","type":"integer","format":"int32"},"selector":{"description":"A label query over pods that are managed by the daemon set. Must match in order to be controlled. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"template":{"description":"An object that describes the pod that will be created. The DaemonSet will create exactly one copy of this pod on every node that matches the template's node selector (or on every node if no node selector is specified). The only allowed template.spec.restartPolicy value is \"Always\". More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template","$ref":"#/definitions/io.k8s.api.core.v1.PodTemplateSpec"},"updateStrategy":{"description":"An update strategy to replace existing DaemonSet pods with new pods.","$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSetUpdateStrategy"}}},"io.k8s.api.apps.v1.DaemonSetStatus":{"description":"DaemonSetStatus represents the current status of a daemon set.","type":"object","required":["currentNumberScheduled","numberMisscheduled","desiredNumberScheduled","numberReady"],"properties":{"collisionCount":{"description":"Count of hash collisions for the DaemonSet. The DaemonSet controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ControllerRevision.","type":"integer","format":"int32"},"conditions":{"description":"Represents the latest available observations of a DaemonSet's current state.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSetCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"currentNumberScheduled":{"description":"The number of nodes that are running at least 1 daemon pod and are supposed to run the daemon pod. More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/","type":"integer","format":"int32"},"desiredNumberScheduled":{"description":"The total number of nodes that should be running the daemon pod (including nodes correctly running the daemon pod). More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/","type":"integer","format":"int32"},"numberAvailable":{"description":"The number of nodes that should be running the daemon pod and have one or more of the daemon pod running and available (ready for at least spec.minReadySeconds)","type":"integer","format":"int32"},"numberMisscheduled":{"description":"The number of nodes that are running the daemon pod, but are not supposed to run the daemon pod. More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/","type":"integer","format":"int32"},"numberReady":{"description":"numberReady is the number of nodes that should be running the daemon pod and have one or more of the daemon pod running with a Ready Condition.","type":"integer","format":"int32"},"numberUnavailable":{"description":"The number of nodes that should be running the daemon pod and have none of the daemon pod running and available (ready for at least spec.minReadySeconds)","type":"integer","format":"int32"},"observedGeneration":{"description":"The most recent generation observed by the daemon set controller.","type":"integer","format":"int64"},"updatedNumberScheduled":{"description":"The total number of nodes that are running updated daemon pod","type":"integer","format":"int32"}}},"io.k8s.api.apps.v1.DaemonSetUpdateStrategy":{"description":"DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.","type":"object","properties":{"rollingUpdate":{"description":"Rolling update config params. Present only if type = \"RollingUpdate\".","$ref":"#/definitions/io.k8s.api.apps.v1.RollingUpdateDaemonSet"},"type":{"description":"Type of daemon set update. Can be \"RollingUpdate\" or \"OnDelete\". Default is RollingUpdate.\n\nPossible enum values:\n - `\"OnDelete\"` Replace the old daemons only when it's killed\n - `\"RollingUpdate\"` Replace the old daemons by new ones using rolling update i.e replace them on each node one after the other.","type":"string","enum":["OnDelete","RollingUpdate"]}}},"io.k8s.api.apps.v1.Deployment":{"description":"Deployment enables declarative updates for Pods and ReplicaSets.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired behavior of the Deployment.","$ref":"#/definitions/io.k8s.api.apps.v1.DeploymentSpec"},"status":{"description":"Most recently observed status of the Deployment.","$ref":"#/definitions/io.k8s.api.apps.v1.DeploymentStatus"}},"x-kubernetes-group-version-kind":[{"group":"apps","kind":"Deployment","version":"v1"}]},"io.k8s.api.apps.v1.DeploymentCondition":{"description":"DeploymentCondition describes the state of a deployment at a certain point.","type":"object","required":["type","status"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"lastUpdateTime":{"description":"The last time this condition was updated.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type of deployment condition.","type":"string"}}},"io.k8s.api.apps.v1.DeploymentList":{"description":"DeploymentList is a list of Deployments.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of Deployments.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.Deployment"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"apps","kind":"DeploymentList","version":"v1"}]},"io.k8s.api.apps.v1.DeploymentSpec":{"description":"DeploymentSpec is the specification of the desired behavior of the Deployment.","type":"object","required":["selector","template"],"properties":{"minReadySeconds":{"description":"Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)","type":"integer","format":"int32"},"paused":{"description":"Indicates that the deployment is paused.","type":"boolean"},"progressDeadlineSeconds":{"description":"The maximum time in seconds for a deployment to make progress before it is considered to be failed. The deployment controller will continue to process failed deployments and a condition with a ProgressDeadlineExceeded reason will be surfaced in the deployment status. Note that progress will not be estimated during the time a deployment is paused. Defaults to 600s.","type":"integer","format":"int32"},"replicas":{"description":"Number of desired pods. This is a pointer to distinguish between explicit zero and not specified. Defaults to 1.","type":"integer","format":"int32"},"revisionHistoryLimit":{"description":"The number of old ReplicaSets to retain to allow rollback. This is a pointer to distinguish between explicit zero and not specified. Defaults to 10.","type":"integer","format":"int32"},"selector":{"description":"Label selector for pods. Existing ReplicaSets whose pods are selected by this will be the ones affected by this deployment. It must match the pod template's labels.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"strategy":{"description":"The deployment strategy to use to replace existing pods with new ones.","$ref":"#/definitions/io.k8s.api.apps.v1.DeploymentStrategy","x-kubernetes-patch-strategy":"retainKeys"},"template":{"description":"Template describes the pods that will be created. The only allowed template.spec.restartPolicy value is \"Always\".","$ref":"#/definitions/io.k8s.api.core.v1.PodTemplateSpec"}}},"io.k8s.api.apps.v1.DeploymentStatus":{"description":"DeploymentStatus is the most recently observed status of the Deployment.","type":"object","properties":{"availableReplicas":{"description":"Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.","type":"integer","format":"int32"},"collisionCount":{"description":"Count of hash collisions for the Deployment. The Deployment controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ReplicaSet.","type":"integer","format":"int32"},"conditions":{"description":"Represents the latest available observations of a deployment's current state.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.DeploymentCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"observedGeneration":{"description":"The generation observed by the deployment controller.","type":"integer","format":"int64"},"readyReplicas":{"description":"readyReplicas is the number of pods targeted by this Deployment with a Ready Condition.","type":"integer","format":"int32"},"replicas":{"description":"Total number of non-terminated pods targeted by this deployment (their labels match the selector).","type":"integer","format":"int32"},"unavailableReplicas":{"description":"Total number of unavailable pods targeted by this deployment. This is the total number of pods that are still required for the deployment to have 100% available capacity. They may either be pods that are running but not yet available or pods that still have not been created.","type":"integer","format":"int32"},"updatedReplicas":{"description":"Total number of non-terminated pods targeted by this deployment that have the desired template spec.","type":"integer","format":"int32"}}},"io.k8s.api.apps.v1.DeploymentStrategy":{"description":"DeploymentStrategy describes how to replace existing pods with new ones.","type":"object","properties":{"rollingUpdate":{"description":"Rolling update config params. Present only if DeploymentStrategyType = RollingUpdate.","$ref":"#/definitions/io.k8s.api.apps.v1.RollingUpdateDeployment"},"type":{"description":"Type of deployment. Can be \"Recreate\" or \"RollingUpdate\". Default is RollingUpdate.\n\nPossible enum values:\n - `\"Recreate\"` Kill all existing pods before creating new ones.\n - `\"RollingUpdate\"` Replace the old ReplicaSets by new one using rolling update i.e gradually scale down the old ReplicaSets and scale up the new one.","type":"string","enum":["Recreate","RollingUpdate"]}}},"io.k8s.api.apps.v1.ReplicaSet":{"description":"ReplicaSet ensures that a specified number of pod replicas are running at any given time.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"If the Labels of a ReplicaSet are empty, they are defaulted to be the same as the Pod(s) that the ReplicaSet manages. Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines the specification of the desired behavior of the ReplicaSet. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSetSpec"},"status":{"description":"Status is the most recently observed status of the ReplicaSet. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSetStatus"}},"x-kubernetes-group-version-kind":[{"group":"apps","kind":"ReplicaSet","version":"v1"}]},"io.k8s.api.apps.v1.ReplicaSetCondition":{"description":"ReplicaSetCondition describes the state of a replica set at a certain point.","type":"object","required":["type","status"],"properties":{"lastTransitionTime":{"description":"The last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type of replica set condition.","type":"string"}}},"io.k8s.api.apps.v1.ReplicaSetList":{"description":"ReplicaSetList is a collection of ReplicaSets.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of ReplicaSets. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller","type":"array","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSet"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"apps","kind":"ReplicaSetList","version":"v1"}]},"io.k8s.api.apps.v1.ReplicaSetSpec":{"description":"ReplicaSetSpec is the specification of a ReplicaSet.","type":"object","required":["selector"],"properties":{"minReadySeconds":{"description":"Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)","type":"integer","format":"int32"},"replicas":{"description":"Replicas is the number of desired replicas. This is a pointer to distinguish between explicit zero and unspecified. Defaults to 1. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller","type":"integer","format":"int32"},"selector":{"description":"Selector is a label query over pods that should match the replica count. Label keys and values that must match in order to be controlled by this replica set. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"template":{"description":"Template is the object that describes the pod that will be created if insufficient replicas are detected. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template","$ref":"#/definitions/io.k8s.api.core.v1.PodTemplateSpec"}}},"io.k8s.api.apps.v1.ReplicaSetStatus":{"description":"ReplicaSetStatus represents the current status of a ReplicaSet.","type":"object","required":["replicas"],"properties":{"availableReplicas":{"description":"The number of available replicas (ready for at least minReadySeconds) for this replica set.","type":"integer","format":"int32"},"conditions":{"description":"Represents the latest available observations of a replica set's current state.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSetCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"fullyLabeledReplicas":{"description":"The number of pods that have labels matching the labels of the pod template of the replicaset.","type":"integer","format":"int32"},"observedGeneration":{"description":"ObservedGeneration reflects the generation of the most recently observed ReplicaSet.","type":"integer","format":"int64"},"readyReplicas":{"description":"readyReplicas is the number of pods targeted by this ReplicaSet with a Ready Condition.","type":"integer","format":"int32"},"replicas":{"description":"Replicas is the most recently observed number of replicas. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller","type":"integer","format":"int32"}}},"io.k8s.api.apps.v1.RollingUpdateDaemonSet":{"description":"Spec to control the desired behavior of daemon set rolling update.","type":"object","properties":{"maxSurge":{"description":"The maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during during an update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up to a minimum of 1. Default value is 0. Example: when this is set to 30%, at most 30% of the total number of nodes that should be running the daemon pod (i.e. status.desiredNumberScheduled) can have their a new pod created before the old pod is marked as deleted. The update starts by launching new pods on 30% of nodes. Once an updated pod is available (Ready for at least minReadySeconds) the old DaemonSet pod on that node is marked deleted. If the old pod becomes unavailable for any reason (Ready transitions to false, is evicted, or is drained) an updated pod is immediatedly created on that node without considering surge limits. Allowing surge implies the possibility that the resources consumed by the daemonset on any given node can double if the readiness check fails, and so resource intensive daemonsets should take into account that they may cause evictions during disruption.","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"},"maxUnavailable":{"description":"The maximum number of DaemonSet pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of total number of DaemonSet pods at the start of the update (ex: 10%). Absolute number is calculated from percentage by rounding up. This cannot be 0 if MaxSurge is 0 Default value is 1. Example: when this is set to 30%, at most 30% of the total number of nodes that should be running the daemon pod (i.e. status.desiredNumberScheduled) can have their pods stopped for an update at any given time. The update starts by stopping at most 30% of those DaemonSet pods and then brings up new DaemonSet pods in their place. Once the new pods are available, it then proceeds onto other DaemonSet pods, thus ensuring that at least 70% of original number of DaemonSet pods are available at all times during the update.","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"}}},"io.k8s.api.apps.v1.RollingUpdateDeployment":{"description":"Spec to control the desired behavior of rolling update.","type":"object","properties":{"maxSurge":{"description":"The maximum number of pods that can be scheduled above the desired number of pods. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up. Defaults to 25%. Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when the rolling update starts, such that the total number of old and new pods do not exceed 130% of desired pods. Once old pods have been killed, new ReplicaSet can be scaled up further, ensuring that total number of pods running at any time during the update is at most 130% of desired pods.","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"},"maxUnavailable":{"description":"The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding down. This can not be 0 if MaxSurge is 0. Defaults to 25%. Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods immediately when the rolling update starts. Once new pods are ready, old ReplicaSet can be scaled down further, followed by scaling up the new ReplicaSet, ensuring that the total number of pods available at all times during the update is at least 70% of desired pods.","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"}}},"io.k8s.api.apps.v1.RollingUpdateStatefulSetStrategy":{"description":"RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.","type":"object","properties":{"maxUnavailable":{"description":"The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding up. This can not be 0. Defaults to 1. This field is alpha-level and is only honored by servers that enable the MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it will be counted towards MaxUnavailable.","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"},"partition":{"description":"Partition indicates the ordinal at which the StatefulSet should be partitioned for updates. During a rolling update, all pods from ordinal Replicas-1 to Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched. This is helpful in being able to do a canary based deployment. The default value is 0.","type":"integer","format":"int32"}}},"io.k8s.api.apps.v1.StatefulSet":{"description":"StatefulSet represents a set of pods with consistent identities. Identities are defined as:\n - Network: A single stable DNS and hostname.\n - Storage: As many VolumeClaims as requested.\n\nThe StatefulSet guarantees that a given network identity will always map to the same storage identity.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines the desired identities of pods in this set.","$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSetSpec"},"status":{"description":"Status is the current status of Pods in this StatefulSet. This data may be out of date by some window of time.","$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSetStatus"}},"x-kubernetes-group-version-kind":[{"group":"apps","kind":"StatefulSet","version":"v1"}]},"io.k8s.api.apps.v1.StatefulSetCondition":{"description":"StatefulSetCondition describes the state of a statefulset at a certain point.","type":"object","required":["type","status"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type of statefulset condition.","type":"string"}}},"io.k8s.api.apps.v1.StatefulSetList":{"description":"StatefulSetList is a collection of StatefulSets.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of stateful sets.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSet"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"apps","kind":"StatefulSetList","version":"v1"}]},"io.k8s.api.apps.v1.StatefulSetOrdinals":{"description":"StatefulSetOrdinals describes the policy used for replica ordinal assignment in this StatefulSet.","type":"object","properties":{"start":{"description":"start is the number representing the first replica's index. It may be used to number replicas from an alternate index (eg: 1-indexed) over the default 0-indexed names, or to orchestrate progressive movement of replicas from one StatefulSet to another. If set, replica indices will be in the range:\n [.spec.ordinals.start, .spec.ordinals.start + .spec.replicas).\nIf unset, defaults to 0. Replica indices will be in the range:\n [0, .spec.replicas).","type":"integer","format":"int32"}}},"io.k8s.api.apps.v1.StatefulSetPersistentVolumeClaimRetentionPolicy":{"description":"StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs created from the StatefulSet VolumeClaimTemplates.","type":"object","properties":{"whenDeleted":{"description":"WhenDeleted specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is deleted. The default policy of `Retain` causes PVCs to not be affected by StatefulSet deletion. The `Delete` policy causes those PVCs to be deleted.","type":"string"},"whenScaled":{"description":"WhenScaled specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is scaled down. The default policy of `Retain` causes PVCs to not be affected by a scaledown. The `Delete` policy causes the associated PVCs for any excess pods above the replica count to be deleted.","type":"string"}}},"io.k8s.api.apps.v1.StatefulSetSpec":{"description":"A StatefulSetSpec is the specification of a StatefulSet.","type":"object","required":["selector","template","serviceName"],"properties":{"minReadySeconds":{"description":"Minimum number of seconds for which a newly created pod should be ready without any of its container crashing for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)","type":"integer","format":"int32"},"ordinals":{"description":"ordinals controls the numbering of replica indices in a StatefulSet. The default ordinals behavior assigns a \"0\" index to the first replica and increments the index by one for each additional replica requested. Using the ordinals field requires the StatefulSetStartOrdinal feature gate to be enabled, which is beta.","$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSetOrdinals"},"persistentVolumeClaimRetentionPolicy":{"description":"persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent volume claims created from volumeClaimTemplates. By default, all persistent volume claims are created as needed and retained until manually deleted. This policy allows the lifecycle to be altered, for example by deleting persistent volume claims when their stateful set is deleted, or when their pod is scaled down. This requires the StatefulSetAutoDeletePVC feature gate to be enabled, which is alpha. +optional","$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSetPersistentVolumeClaimRetentionPolicy"},"podManagementPolicy":{"description":"podManagementPolicy controls how pods are created during initial scale up, when replacing pods on nodes, or when scaling down. The default policy is `OrderedReady`, where pods are created in increasing order (pod-0, then pod-1, etc) and the controller will wait until each pod is ready before continuing. When scaling down, the pods are removed in the opposite order. The alternative policy is `Parallel` which will create pods in parallel to match the desired scale without waiting, and on scale down will delete all pods at once.\n\nPossible enum values:\n - `\"OrderedReady\"` will create pods in strictly increasing order on scale up and strictly decreasing order on scale down, progressing only when the previous pod is ready or terminated. At most one pod will be changed at any time.\n - `\"Parallel\"` will create and delete pods as soon as the stateful set replica count is changed, and will not wait for pods to be ready or complete termination.","type":"string","enum":["OrderedReady","Parallel"]},"replicas":{"description":"replicas is the desired number of replicas of the given Template. These are replicas in the sense that they are instantiations of the same Template, but individual replicas also have a consistent identity. If unspecified, defaults to 1.","type":"integer","format":"int32"},"revisionHistoryLimit":{"description":"revisionHistoryLimit is the maximum number of revisions that will be maintained in the StatefulSet's revision history. The revision history consists of all revisions not represented by a currently applied StatefulSetSpec version. The default value is 10.","type":"integer","format":"int32"},"selector":{"description":"selector is a label query over pods that should match the replica count. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"serviceName":{"description":"serviceName is the name of the service that governs this StatefulSet. This service must exist before the StatefulSet, and is responsible for the network identity of the set. Pods get DNS/hostnames that follow the pattern: pod-specific-string.serviceName.default.svc.cluster.local where \"pod-specific-string\" is managed by the StatefulSet controller.","type":"string"},"template":{"description":"template is the object that describes the pod that will be created if insufficient replicas are detected. Each pod stamped out by the StatefulSet will fulfill this Template, but have a unique identity from the rest of the StatefulSet. Each pod will be named with the format -. For example, a pod in a StatefulSet named \"web\" with index number \"3\" would be named \"web-3\". The only allowed template.spec.restartPolicy value is \"Always\".","$ref":"#/definitions/io.k8s.api.core.v1.PodTemplateSpec"},"updateStrategy":{"description":"updateStrategy indicates the StatefulSetUpdateStrategy that will be employed to update Pods in the StatefulSet when a revision is made to Template.","$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSetUpdateStrategy"},"volumeClaimTemplates":{"description":"volumeClaimTemplates is a list of claims that pods are allowed to reference. The StatefulSet controller is responsible for mapping network identities to claims in a way that maintains the identity of a pod. Every claim in this list must have at least one matching (by name) volumeMount in one container in the template. A claim in this list takes precedence over any volumes in the template, with the same name.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.apps.v1.StatefulSetStatus":{"description":"StatefulSetStatus represents the current state of a StatefulSet.","type":"object","required":["replicas"],"properties":{"availableReplicas":{"description":"Total number of available pods (ready for at least minReadySeconds) targeted by this statefulset.","type":"integer","format":"int32"},"collisionCount":{"description":"collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ControllerRevision.","type":"integer","format":"int32"},"conditions":{"description":"Represents the latest available observations of a statefulset's current state.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSetCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"currentReplicas":{"description":"currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version indicated by currentRevision.","type":"integer","format":"int32"},"currentRevision":{"description":"currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence [0,currentReplicas).","type":"string"},"observedGeneration":{"description":"observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the StatefulSet's generation, which is updated on mutation by the API Server.","type":"integer","format":"int64"},"readyReplicas":{"description":"readyReplicas is the number of pods created for this StatefulSet with a Ready Condition.","type":"integer","format":"int32"},"replicas":{"description":"replicas is the number of Pods created by the StatefulSet controller.","type":"integer","format":"int32"},"updateRevision":{"description":"updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence [replicas-updatedReplicas,replicas)","type":"string"},"updatedReplicas":{"description":"updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version indicated by updateRevision.","type":"integer","format":"int32"}}},"io.k8s.api.apps.v1.StatefulSetUpdateStrategy":{"description":"StatefulSetUpdateStrategy indicates the strategy that the StatefulSet controller will use to perform updates. It includes any additional parameters necessary to perform the update for the indicated strategy.","type":"object","properties":{"rollingUpdate":{"description":"RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.","$ref":"#/definitions/io.k8s.api.apps.v1.RollingUpdateStatefulSetStrategy"},"type":{"description":"Type indicates the type of the StatefulSetUpdateStrategy. Default is RollingUpdate.\n\nPossible enum values:\n - `\"OnDelete\"` triggers the legacy behavior. Version tracking and ordered rolling restarts are disabled. Pods are recreated from the StatefulSetSpec when they are manually deleted. When a scale operation is performed with this strategy,specification version indicated by the StatefulSet's currentRevision.\n - `\"RollingUpdate\"` indicates that update will be applied to all Pods in the StatefulSet with respect to the StatefulSet ordering constraints. When a scale operation is performed with this strategy, new Pods will be created from the specification version indicated by the StatefulSet's updateRevision.","type":"string","enum":["OnDelete","RollingUpdate"]}}},"io.k8s.api.authentication.v1.BoundObjectReference":{"description":"BoundObjectReference is a reference to an object that a token is bound to.","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"kind":{"description":"Kind of the referent. Valid kinds are 'Pod' and 'Secret'.","type":"string"},"name":{"description":"Name of the referent.","type":"string"},"uid":{"description":"UID of the referent.","type":"string"}}},"io.k8s.api.authentication.v1.SelfSubjectReview":{"description":"SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"status":{"description":"Status is filled in by the server with the user attributes.","$ref":"#/definitions/io.k8s.api.authentication.v1.SelfSubjectReviewStatus"}},"x-kubernetes-group-version-kind":[{"group":"authentication.k8s.io","kind":"SelfSubjectReview","version":"v1"}]},"io.k8s.api.authentication.v1.SelfSubjectReviewStatus":{"description":"SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.","type":"object","properties":{"userInfo":{"description":"User attributes of the user making this request.","$ref":"#/definitions/io.k8s.api.authentication.v1.UserInfo"}}},"io.k8s.api.authentication.v1.TokenRequest":{"description":"TokenRequest requests a token for a given service account.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec holds information about the request being evaluated","$ref":"#/definitions/io.k8s.api.authentication.v1.TokenRequestSpec"},"status":{"description":"Status is filled in by the server and indicates whether the token can be authenticated.","$ref":"#/definitions/io.k8s.api.authentication.v1.TokenRequestStatus"}},"x-kubernetes-group-version-kind":[{"group":"authentication.k8s.io","kind":"TokenRequest","version":"v1"}]},"io.k8s.api.authentication.v1.TokenRequestSpec":{"description":"TokenRequestSpec contains client provided parameters of a token request.","type":"object","required":["audiences"],"properties":{"audiences":{"description":"Audiences are the intendend audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"boundObjectRef":{"description":"BoundObjectRef is a reference to an object that the token will be bound to. The token will only be valid for as long as the bound object exists. NOTE: The API server's TokenReview endpoint will validate the BoundObjectRef, but other audiences may not. Keep ExpirationSeconds small if you want prompt revocation.","$ref":"#/definitions/io.k8s.api.authentication.v1.BoundObjectReference"},"expirationSeconds":{"description":"ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response.","type":"integer","format":"int64"}}},"io.k8s.api.authentication.v1.TokenRequestStatus":{"description":"TokenRequestStatus is the result of a token request.","type":"object","required":["token","expirationTimestamp"],"properties":{"expirationTimestamp":{"description":"ExpirationTimestamp is the time of expiration of the returned token.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"token":{"description":"Token is the opaque bearer token.","type":"string"}}},"io.k8s.api.authentication.v1.TokenReview":{"description":"TokenReview attempts to authenticate a token to a known user. Note: TokenReview requests may be cached by the webhook token authenticator plugin in the kube-apiserver.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec holds information about the request being evaluated","$ref":"#/definitions/io.k8s.api.authentication.v1.TokenReviewSpec"},"status":{"description":"Status is filled in by the server and indicates whether the request can be authenticated.","$ref":"#/definitions/io.k8s.api.authentication.v1.TokenReviewStatus"}},"x-kubernetes-group-version-kind":[{"group":"authentication.k8s.io","kind":"TokenReview","version":"v1"}]},"io.k8s.api.authentication.v1.TokenReviewSpec":{"description":"TokenReviewSpec is a description of the token authentication request.","type":"object","properties":{"audiences":{"description":"Audiences is a list of the identifiers that the resource server presented with the token identifies as. Audience-aware token authenticators will verify that the token was intended for at least one of the audiences in this list. If no audiences are provided, the audience will default to the audience of the Kubernetes apiserver.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"token":{"description":"Token is the opaque bearer token.","type":"string"}}},"io.k8s.api.authentication.v1.TokenReviewStatus":{"description":"TokenReviewStatus is the result of the token authentication request.","type":"object","properties":{"audiences":{"description":"Audiences are audience identifiers chosen by the authenticator that are compatible with both the TokenReview and token. An identifier is any identifier in the intersection of the TokenReviewSpec audiences and the token's audiences. A client of the TokenReview API that sets the spec.audiences field should validate that a compatible audience identifier is returned in the status.audiences field to ensure that the TokenReview server is audience aware. If a TokenReview returns an empty status.audience field where status.authenticated is \"true\", the token is valid against the audience of the Kubernetes API server.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"authenticated":{"description":"Authenticated indicates that the token was associated with a known user.","type":"boolean"},"error":{"description":"Error indicates that the token couldn't be checked","type":"string"},"user":{"description":"User is the UserInfo associated with the provided token.","$ref":"#/definitions/io.k8s.api.authentication.v1.UserInfo"}}},"io.k8s.api.authentication.v1.UserInfo":{"description":"UserInfo holds the information about the user needed to implement the user.Info interface.","type":"object","properties":{"extra":{"description":"Any additional information provided by the authenticator.","type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"groups":{"description":"The names of groups this user is a part of.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"uid":{"description":"A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.","type":"string"},"username":{"description":"The name that uniquely identifies this user among all active users.","type":"string"}}},"io.k8s.api.authorization.v1.LocalSubjectAccessReview":{"description":"LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions checking.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace you made the request against. If empty, it is defaulted.","$ref":"#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewSpec"},"status":{"description":"Status is filled in by the server and indicates whether the request is allowed or not","$ref":"#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewStatus"}},"x-kubernetes-group-version-kind":[{"group":"authorization.k8s.io","kind":"LocalSubjectAccessReview","version":"v1"}]},"io.k8s.api.authorization.v1.NonResourceAttributes":{"description":"NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface","type":"object","properties":{"path":{"description":"Path is the URL path of the request","type":"string"},"verb":{"description":"Verb is the standard HTTP verb","type":"string"}}},"io.k8s.api.authorization.v1.NonResourceRule":{"description":"NonResourceRule holds information that describes a rule for the non-resource","type":"object","required":["verbs"],"properties":{"nonResourceURLs":{"description":"NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path. \"*\" means all.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"verbs":{"description":"Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. \"*\" means all.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.authorization.v1.ResourceAttributes":{"description":"ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface","type":"object","properties":{"group":{"description":"Group is the API Group of the Resource. \"*\" means all.","type":"string"},"name":{"description":"Name is the name of the resource being requested for a \"get\" or deleted for a \"delete\". \"\" (empty) means all.","type":"string"},"namespace":{"description":"Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces \"\" (empty) is defaulted for LocalSubjectAccessReviews \"\" (empty) is empty for cluster-scoped resources \"\" (empty) means \"all\" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview","type":"string"},"resource":{"description":"Resource is one of the existing resource types. \"*\" means all.","type":"string"},"subresource":{"description":"Subresource is one of the existing resource types. \"\" means none.","type":"string"},"verb":{"description":"Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. \"*\" means all.","type":"string"},"version":{"description":"Version is the API Version of the Resource. \"*\" means all.","type":"string"}}},"io.k8s.api.authorization.v1.ResourceRule":{"description":"ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.","type":"object","required":["verbs"],"properties":{"apiGroups":{"description":"APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"*\" means all.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. \"*\" means all.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to. \"*\" means all in the specified apiGroups.\n \"*/foo\" represents the subresource 'foo' for all resources in the specified apiGroups.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"verbs":{"description":"Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. \"*\" means all.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.authorization.v1.SelfSubjectAccessReview":{"description":"SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a spec.namespace means \"in all namespaces\". Self is a special case, because users should always be able to check whether they can perform an action","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec holds information about the request being evaluated. user and groups must be empty","$ref":"#/definitions/io.k8s.api.authorization.v1.SelfSubjectAccessReviewSpec"},"status":{"description":"Status is filled in by the server and indicates whether the request is allowed or not","$ref":"#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewStatus"}},"x-kubernetes-group-version-kind":[{"group":"authorization.k8s.io","kind":"SelfSubjectAccessReview","version":"v1"}]},"io.k8s.api.authorization.v1.SelfSubjectAccessReviewSpec":{"description":"SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set","type":"object","properties":{"nonResourceAttributes":{"description":"NonResourceAttributes describes information for a non-resource access request","$ref":"#/definitions/io.k8s.api.authorization.v1.NonResourceAttributes"},"resourceAttributes":{"description":"ResourceAuthorizationAttributes describes information for a resource access request","$ref":"#/definitions/io.k8s.api.authorization.v1.ResourceAttributes"}}},"io.k8s.api.authorization.v1.SelfSubjectRulesReview":{"description":"SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server's authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec holds information about the request being evaluated.","$ref":"#/definitions/io.k8s.api.authorization.v1.SelfSubjectRulesReviewSpec"},"status":{"description":"Status is filled in by the server and indicates the set of actions a user can perform.","$ref":"#/definitions/io.k8s.api.authorization.v1.SubjectRulesReviewStatus"}},"x-kubernetes-group-version-kind":[{"group":"authorization.k8s.io","kind":"SelfSubjectRulesReview","version":"v1"}]},"io.k8s.api.authorization.v1.SelfSubjectRulesReviewSpec":{"description":"SelfSubjectRulesReviewSpec defines the specification for SelfSubjectRulesReview.","type":"object","properties":{"namespace":{"description":"Namespace to evaluate rules for. Required.","type":"string"}}},"io.k8s.api.authorization.v1.SubjectAccessReview":{"description":"SubjectAccessReview checks whether or not a user or group can perform an action.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec holds information about the request being evaluated","$ref":"#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewSpec"},"status":{"description":"Status is filled in by the server and indicates whether the request is allowed or not","$ref":"#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewStatus"}},"x-kubernetes-group-version-kind":[{"group":"authorization.k8s.io","kind":"SubjectAccessReview","version":"v1"}]},"io.k8s.api.authorization.v1.SubjectAccessReviewSpec":{"description":"SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set","type":"object","properties":{"extra":{"description":"Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer it needs a reflection here.","type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"groups":{"description":"Groups is the groups you're testing for.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"nonResourceAttributes":{"description":"NonResourceAttributes describes information for a non-resource access request","$ref":"#/definitions/io.k8s.api.authorization.v1.NonResourceAttributes"},"resourceAttributes":{"description":"ResourceAuthorizationAttributes describes information for a resource access request","$ref":"#/definitions/io.k8s.api.authorization.v1.ResourceAttributes"},"uid":{"description":"UID information about the requesting user.","type":"string"},"user":{"description":"User is the user you're testing for. If you specify \"User\" but not \"Groups\", then is it interpreted as \"What if User were not a member of any groups","type":"string"}}},"io.k8s.api.authorization.v1.SubjectAccessReviewStatus":{"description":"SubjectAccessReviewStatus","type":"object","required":["allowed"],"properties":{"allowed":{"description":"Allowed is required. True if the action would be allowed, false otherwise.","type":"boolean"},"denied":{"description":"Denied is optional. True if the action would be denied, otherwise false. If both allowed is false and denied is false, then the authorizer has no opinion on whether to authorize the action. Denied may not be true if Allowed is true.","type":"boolean"},"evaluationError":{"description":"EvaluationError is an indication that some error occurred during the authorization check. It is entirely possible to get an error and be able to continue determine authorization status in spite of it. For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.","type":"string"},"reason":{"description":"Reason is optional. It indicates why a request was allowed or denied.","type":"string"}}},"io.k8s.api.authorization.v1.SubjectRulesReviewStatus":{"description":"SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on the set of authorizers the server is configured with and any errors experienced during evaluation. Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, even if that list is incomplete.","type":"object","required":["resourceRules","nonResourceRules","incomplete"],"properties":{"evaluationError":{"description":"EvaluationError can appear in combination with Rules. It indicates an error occurred during rule evaluation, such as an authorizer that doesn't support rule evaluation, and that ResourceRules and/or NonResourceRules may be incomplete.","type":"string"},"incomplete":{"description":"Incomplete is true when the rules returned by this call are incomplete. This is most commonly encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.","type":"boolean"},"nonResourceRules":{"description":"NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.authorization.v1.NonResourceRule"},"x-kubernetes-list-type":"atomic"},"resourceRules":{"description":"ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.authorization.v1.ResourceRule"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.autoscaling.v1.CrossVersionObjectReference":{"description":"CrossVersionObjectReference contains enough information to let you identify the referred resource.","type":"object","required":["kind","name"],"properties":{"apiVersion":{"description":"apiVersion is the API version of the referent","type":"string"},"kind":{"description":"kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler":{"description":"configuration of a horizontal pod autoscaler.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec defines the behaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.","$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerSpec"},"status":{"description":"status is the current information about the autoscaler.","$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerStatus"}},"x-kubernetes-group-version-kind":[{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v1"}]},"io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerList":{"description":"list of horizontal pod autoscaler objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of horizontal pod autoscaler objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"autoscaling","kind":"HorizontalPodAutoscalerList","version":"v1"}]},"io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerSpec":{"description":"specification of a horizontal pod autoscaler.","type":"object","required":["scaleTargetRef","maxReplicas"],"properties":{"maxReplicas":{"description":"maxReplicas is the upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.","type":"integer","format":"int32"},"minReplicas":{"description":"minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the alpha feature gate HPAScaleToZero is enabled and at least one Object or External metric is configured. Scaling is active as long as at least one metric value is available.","type":"integer","format":"int32"},"scaleTargetRef":{"description":"reference to scaled resource; horizontal pod autoscaler will learn the current resource consumption and will set the desired number of pods by using its Scale subresource.","$ref":"#/definitions/io.k8s.api.autoscaling.v1.CrossVersionObjectReference"},"targetCPUUtilizationPercentage":{"description":"targetCPUUtilizationPercentage is the target average CPU utilization (represented as a percentage of requested CPU) over all the pods; if not specified the default autoscaling policy will be used.","type":"integer","format":"int32"}}},"io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerStatus":{"description":"current status of a horizontal pod autoscaler","type":"object","required":["currentReplicas","desiredReplicas"],"properties":{"currentCPUUtilizationPercentage":{"description":"currentCPUUtilizationPercentage is the current average CPU utilization over all pods, represented as a percentage of requested CPU, e.g. 70 means that an average pod is using now 70% of its requested CPU.","type":"integer","format":"int32"},"currentReplicas":{"description":"currentReplicas is the current number of replicas of pods managed by this autoscaler.","type":"integer","format":"int32"},"desiredReplicas":{"description":"desiredReplicas is the desired number of replicas of pods managed by this autoscaler.","type":"integer","format":"int32"},"lastScaleTime":{"description":"lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods; used by the autoscaler to control how often the number of pods is changed.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"observedGeneration":{"description":"observedGeneration is the most recent generation observed by this autoscaler.","type":"integer","format":"int64"}}},"io.k8s.api.autoscaling.v1.Scale":{"description":"Scale represents a scaling request for a resource.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.","$ref":"#/definitions/io.k8s.api.autoscaling.v1.ScaleSpec"},"status":{"description":"status is the current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only.","$ref":"#/definitions/io.k8s.api.autoscaling.v1.ScaleStatus"}},"x-kubernetes-group-version-kind":[{"group":"autoscaling","kind":"Scale","version":"v1"}]},"io.k8s.api.autoscaling.v1.ScaleSpec":{"description":"ScaleSpec describes the attributes of a scale subresource.","type":"object","properties":{"replicas":{"description":"replicas is the desired number of instances for the scaled object.","type":"integer","format":"int32"}}},"io.k8s.api.autoscaling.v1.ScaleStatus":{"description":"ScaleStatus represents the current status of a scale subresource.","type":"object","required":["replicas"],"properties":{"replicas":{"description":"replicas is the actual number of observed instances of the scaled object.","type":"integer","format":"int32"},"selector":{"description":"selector is the label query over pods that should match the replicas count. This is same as the label selector but in the string format to avoid introspection by clients. The string will be in the same format as the query-param syntax. More info about label selectors: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/","type":"string"}}},"io.k8s.api.autoscaling.v2.ContainerResourceMetricSource":{"description":"ContainerResourceMetricSource indicates how to scale on a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory). The values will be averaged together before being compared to the target. Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source. Only one \"target\" type should be set.","type":"object","required":["name","target","container"],"properties":{"container":{"description":"container is the name of the container in the pods of the scaling target","type":"string"},"name":{"description":"name is the name of the resource in question.","type":"string"},"target":{"description":"target specifies the target value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricTarget"}}},"io.k8s.api.autoscaling.v2.ContainerResourceMetricStatus":{"description":"ContainerResourceMetricStatus indicates the current value of a resource metric known to Kubernetes, as specified in requests and limits, describing a single container in each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.","type":"object","required":["name","current","container"],"properties":{"container":{"description":"container is the name of the container in the pods of the scaling target","type":"string"},"current":{"description":"current contains the current value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricValueStatus"},"name":{"description":"name is the name of the resource in question.","type":"string"}}},"io.k8s.api.autoscaling.v2.CrossVersionObjectReference":{"description":"CrossVersionObjectReference contains enough information to let you identify the referred resource.","type":"object","required":["kind","name"],"properties":{"apiVersion":{"description":"apiVersion is the API version of the referent","type":"string"},"kind":{"description":"kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}}},"io.k8s.api.autoscaling.v2.ExternalMetricSource":{"description":"ExternalMetricSource indicates how to scale on a metric not associated with any Kubernetes object (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).","type":"object","required":["metric","target"],"properties":{"metric":{"description":"metric identifies the target metric by name and selector","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricIdentifier"},"target":{"description":"target specifies the target value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricTarget"}}},"io.k8s.api.autoscaling.v2.ExternalMetricStatus":{"description":"ExternalMetricStatus indicates the current value of a global metric not associated with any Kubernetes object.","type":"object","required":["metric","current"],"properties":{"current":{"description":"current contains the current value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricValueStatus"},"metric":{"description":"metric identifies the target metric by name and selector","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricIdentifier"}}},"io.k8s.api.autoscaling.v2.HPAScalingPolicy":{"description":"HPAScalingPolicy is a single policy which must hold true for a specified past interval.","type":"object","required":["type","value","periodSeconds"],"properties":{"periodSeconds":{"description":"periodSeconds specifies the window of time for which the policy should hold true. PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).","type":"integer","format":"int32"},"type":{"description":"type is used to specify the scaling policy.","type":"string"},"value":{"description":"value contains the amount of change which is permitted by the policy. It must be greater than zero","type":"integer","format":"int32"}}},"io.k8s.api.autoscaling.v2.HPAScalingRules":{"description":"HPAScalingRules configures the scaling behavior for one direction. These Rules are applied after calculating DesiredReplicas from metrics for the HPA. They can limit the scaling velocity by specifying scaling policies. They can prevent flapping by specifying the stabilization window, so that the number of replicas is not set instantly, instead, the safest value from the stabilization window is chosen.","type":"object","properties":{"policies":{"description":"policies is a list of potential scaling polices which can be used during scaling. At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid","type":"array","items":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HPAScalingPolicy"},"x-kubernetes-list-type":"atomic"},"selectPolicy":{"description":"selectPolicy is used to specify which policy should be used. If not set, the default value Max is used.","type":"string"},"stabilizationWindowSeconds":{"description":"stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).","type":"integer","format":"int32"}}},"io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler":{"description":"HorizontalPodAutoscaler is the configuration for a horizontal pod autoscaler, which automatically manages the replica count of any resource implementing the scale subresource based on the metrics specified.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"metadata is the standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec is the specification for the behaviour of the autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerSpec"},"status":{"description":"status is the current information about the autoscaler.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerStatus"}},"x-kubernetes-group-version-kind":[{"group":"autoscaling","kind":"HorizontalPodAutoscaler","version":"v2"}]},"io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerBehavior":{"description":"HorizontalPodAutoscalerBehavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively).","type":"object","properties":{"scaleDown":{"description":"scaleDown is scaling policy for scaling Down. If not set, the default value is to allow to scale down to minReplicas pods, with a 300 second stabilization window (i.e., the highest recommendation for the last 300sec is used).","$ref":"#/definitions/io.k8s.api.autoscaling.v2.HPAScalingRules"},"scaleUp":{"description":"scaleUp is scaling policy for scaling Up. If not set, the default value is the higher of:\n * increase no more than 4 pods per 60 seconds\n * double the number of pods per 60 seconds\nNo stabilization is used.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.HPAScalingRules"}}},"io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerCondition":{"description":"HorizontalPodAutoscalerCondition describes the state of a HorizontalPodAutoscaler at a certain point.","type":"object","required":["type","status"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"message is a human-readable explanation containing details about the transition","type":"string"},"reason":{"description":"reason is the reason for the condition's last transition.","type":"string"},"status":{"description":"status is the status of the condition (True, False, Unknown)","type":"string"},"type":{"description":"type describes the current condition","type":"string"}}},"io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerList":{"description":"HorizontalPodAutoscalerList is a list of horizontal pod autoscaler objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of horizontal pod autoscaler objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscaler"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"metadata is the standard list metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"autoscaling","kind":"HorizontalPodAutoscalerList","version":"v2"}]},"io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerSpec":{"description":"HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.","type":"object","required":["scaleTargetRef","maxReplicas"],"properties":{"behavior":{"description":"behavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively). If not set, the default HPAScalingRules for scale up and scale down are used.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerBehavior"},"maxReplicas":{"description":"maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up. It cannot be less that minReplicas.","type":"integer","format":"int32"},"metrics":{"description":"metrics contains the specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used). The desired replica count is calculated multiplying the ratio between the target value and the current value by the current number of pods. Ergo, metrics used must decrease as the pod count is increased, and vice-versa. See the individual metric source types for more information about how each type of metric must respond. If not set, the default metric will be set to 80% average CPU utilization.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricSpec"},"x-kubernetes-list-type":"atomic"},"minReplicas":{"description":"minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the alpha feature gate HPAScaleToZero is enabled and at least one Object or External metric is configured. Scaling is active as long as at least one metric value is available.","type":"integer","format":"int32"},"scaleTargetRef":{"description":"scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics should be collected, as well as to actually change the replica count.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.CrossVersionObjectReference"}}},"io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerStatus":{"description":"HorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler.","type":"object","required":["desiredReplicas"],"properties":{"conditions":{"description":"conditions is the set of conditions required for this autoscaler to scale its target, and indicates whether or not those conditions are met.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"currentMetrics":{"description":"currentMetrics is the last read state of the metrics used by this autoscaler.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricStatus"},"x-kubernetes-list-type":"atomic"},"currentReplicas":{"description":"currentReplicas is current number of replicas of pods managed by this autoscaler, as last seen by the autoscaler.","type":"integer","format":"int32"},"desiredReplicas":{"description":"desiredReplicas is the desired number of replicas of pods managed by this autoscaler, as last calculated by the autoscaler.","type":"integer","format":"int32"},"lastScaleTime":{"description":"lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods, used by the autoscaler to control how often the number of pods is changed.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"observedGeneration":{"description":"observedGeneration is the most recent generation observed by this autoscaler.","type":"integer","format":"int64"}}},"io.k8s.api.autoscaling.v2.MetricIdentifier":{"description":"MetricIdentifier defines the name and optionally selector for a metric","type":"object","required":["name"],"properties":{"name":{"description":"name is the name of the given metric","type":"string"},"selector":{"description":"selector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"}}},"io.k8s.api.autoscaling.v2.MetricSpec":{"description":"MetricSpec specifies how to scale based on a single metric (only `type` and one other matching field should be set at once).","type":"object","required":["type"],"properties":{"containerResource":{"description":"containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source. This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.ContainerResourceMetricSource"},"external":{"description":"external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).","$ref":"#/definitions/io.k8s.api.autoscaling.v2.ExternalMetricSource"},"object":{"description":"object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).","$ref":"#/definitions/io.k8s.api.autoscaling.v2.ObjectMetricSource"},"pods":{"description":"pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.PodsMetricSource"},"resource":{"description":"resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.ResourceMetricSource"},"type":{"description":"type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled","type":"string"}}},"io.k8s.api.autoscaling.v2.MetricStatus":{"description":"MetricStatus describes the last-read state of a single metric.","type":"object","required":["type"],"properties":{"containerResource":{"description":"container resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.ContainerResourceMetricStatus"},"external":{"description":"external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).","$ref":"#/definitions/io.k8s.api.autoscaling.v2.ExternalMetricStatus"},"object":{"description":"object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object).","$ref":"#/definitions/io.k8s.api.autoscaling.v2.ObjectMetricStatus"},"pods":{"description":"pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.PodsMetricStatus"},"resource":{"description":"resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.","$ref":"#/definitions/io.k8s.api.autoscaling.v2.ResourceMetricStatus"},"type":{"description":"type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled","type":"string"}}},"io.k8s.api.autoscaling.v2.MetricTarget":{"description":"MetricTarget defines the target value, average value, or average utilization of a specific metric","type":"object","required":["type"],"properties":{"averageUtilization":{"description":"averageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type","type":"integer","format":"int32"},"averageValue":{"description":"averageValue is the target value of the average of the metric across all relevant pods (as a quantity)","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"type":{"description":"type represents whether the metric type is Utilization, Value, or AverageValue","type":"string"},"value":{"description":"value is the target value of the metric (as a quantity).","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}}},"io.k8s.api.autoscaling.v2.MetricValueStatus":{"description":"MetricValueStatus holds the current value for a metric","type":"object","properties":{"averageUtilization":{"description":"currentAverageUtilization is the current value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods.","type":"integer","format":"int32"},"averageValue":{"description":"averageValue is the current value of the average of the metric across all relevant pods (as a quantity)","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"value":{"description":"value is the current value of the metric (as a quantity).","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}}},"io.k8s.api.autoscaling.v2.ObjectMetricSource":{"description":"ObjectMetricSource indicates how to scale on a metric describing a kubernetes object (for example, hits-per-second on an Ingress object).","type":"object","required":["describedObject","target","metric"],"properties":{"describedObject":{"description":"describedObject specifies the descriptions of a object,such as kind,name apiVersion","$ref":"#/definitions/io.k8s.api.autoscaling.v2.CrossVersionObjectReference"},"metric":{"description":"metric identifies the target metric by name and selector","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricIdentifier"},"target":{"description":"target specifies the target value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricTarget"}}},"io.k8s.api.autoscaling.v2.ObjectMetricStatus":{"description":"ObjectMetricStatus indicates the current value of a metric describing a kubernetes object (for example, hits-per-second on an Ingress object).","type":"object","required":["metric","current","describedObject"],"properties":{"current":{"description":"current contains the current value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricValueStatus"},"describedObject":{"description":"DescribedObject specifies the descriptions of a object,such as kind,name apiVersion","$ref":"#/definitions/io.k8s.api.autoscaling.v2.CrossVersionObjectReference"},"metric":{"description":"metric identifies the target metric by name and selector","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricIdentifier"}}},"io.k8s.api.autoscaling.v2.PodsMetricSource":{"description":"PodsMetricSource indicates how to scale on a metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value.","type":"object","required":["metric","target"],"properties":{"metric":{"description":"metric identifies the target metric by name and selector","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricIdentifier"},"target":{"description":"target specifies the target value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricTarget"}}},"io.k8s.api.autoscaling.v2.PodsMetricStatus":{"description":"PodsMetricStatus indicates the current value of a metric describing each pod in the current scale target (for example, transactions-processed-per-second).","type":"object","required":["metric","current"],"properties":{"current":{"description":"current contains the current value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricValueStatus"},"metric":{"description":"metric identifies the target metric by name and selector","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricIdentifier"}}},"io.k8s.api.autoscaling.v2.ResourceMetricSource":{"description":"ResourceMetricSource indicates how to scale on a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory). The values will be averaged together before being compared to the target. Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source. Only one \"target\" type should be set.","type":"object","required":["name","target"],"properties":{"name":{"description":"name is the name of the resource in question.","type":"string"},"target":{"description":"target specifies the target value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricTarget"}}},"io.k8s.api.autoscaling.v2.ResourceMetricStatus":{"description":"ResourceMetricStatus indicates the current value of a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source.","type":"object","required":["name","current"],"properties":{"current":{"description":"current contains the current value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricValueStatus"},"name":{"description":"name is the name of the resource in question.","type":"string"}}},"io.k8s.api.batch.v1.CronJob":{"description":"CronJob represents the configuration of a single cron job.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired behavior of a cron job, including the schedule. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.batch.v1.CronJobSpec"},"status":{"description":"Current status of a cron job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.batch.v1.CronJobStatus"}},"x-kubernetes-group-version-kind":[{"group":"batch","kind":"CronJob","version":"v1"}]},"io.k8s.api.batch.v1.CronJobList":{"description":"CronJobList is a collection of cron jobs.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of CronJobs.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.batch.v1.CronJob"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"batch","kind":"CronJobList","version":"v1"}]},"io.k8s.api.batch.v1.CronJobSpec":{"description":"CronJobSpec describes how the job execution will look like and when it will actually run.","type":"object","required":["schedule","jobTemplate"],"properties":{"concurrencyPolicy":{"description":"Specifies how to treat concurrent executions of a Job. Valid values are:\n\n- \"Allow\" (default): allows CronJobs to run concurrently; - \"Forbid\": forbids concurrent runs, skipping next run if previous run hasn't finished yet; - \"Replace\": cancels currently running job and replaces it with a new one\n\nPossible enum values:\n - `\"Allow\"` allows CronJobs to run concurrently.\n - `\"Forbid\"` forbids concurrent runs, skipping next run if previous hasn't finished yet.\n - `\"Replace\"` cancels currently running job and replaces it with a new one.","type":"string","enum":["Allow","Forbid","Replace"]},"failedJobsHistoryLimit":{"description":"The number of failed finished jobs to retain. Value must be non-negative integer. Defaults to 1.","type":"integer","format":"int32"},"jobTemplate":{"description":"Specifies the job that will be created when executing a CronJob.","$ref":"#/definitions/io.k8s.api.batch.v1.JobTemplateSpec"},"schedule":{"description":"The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.","type":"string"},"startingDeadlineSeconds":{"description":"Optional deadline in seconds for starting the job if it misses scheduled time for any reason. Missed jobs executions will be counted as failed ones.","type":"integer","format":"int64"},"successfulJobsHistoryLimit":{"description":"The number of successful finished jobs to retain. Value must be non-negative integer. Defaults to 3.","type":"integer","format":"int32"},"suspend":{"description":"This flag tells the controller to suspend subsequent executions, it does not apply to already started executions. Defaults to false.","type":"boolean"},"timeZone":{"description":"The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones. If not specified, this will default to the time zone of the kube-controller-manager process. The set of valid time zone names and the time zone offset is loaded from the system-wide time zone database by the API server during CronJob validation and the controller manager during execution. If no system-wide time zone database can be found a bundled version of the database is used instead. If the time zone name becomes invalid during the lifetime of a CronJob or due to a change in host configuration, the controller will stop creating new new Jobs and will create a system event with the reason UnknownTimeZone. More information can be found in https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones","type":"string"}}},"io.k8s.api.batch.v1.CronJobStatus":{"description":"CronJobStatus represents the current state of a cron job.","type":"object","properties":{"active":{"description":"A list of pointers to currently running jobs.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"},"x-kubernetes-list-type":"atomic"},"lastScheduleTime":{"description":"Information when was the last time the job was successfully scheduled.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"lastSuccessfulTime":{"description":"Information when was the last time the job successfully completed.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"}}},"io.k8s.api.batch.v1.Job":{"description":"Job represents the configuration of a single job.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired behavior of a job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.batch.v1.JobSpec"},"status":{"description":"Current status of a job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.batch.v1.JobStatus"}},"x-kubernetes-group-version-kind":[{"group":"batch","kind":"Job","version":"v1"}]},"io.k8s.api.batch.v1.JobCondition":{"description":"JobCondition describes current state of a job.","type":"object","required":["type","status"],"properties":{"lastProbeTime":{"description":"Last time the condition was checked.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"lastTransitionTime":{"description":"Last time the condition transit from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"Human readable message indicating details about last transition.","type":"string"},"reason":{"description":"(brief) reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type of job condition, Complete or Failed.","type":"string"}}},"io.k8s.api.batch.v1.JobList":{"description":"JobList is a collection of jobs.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of Jobs.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.batch.v1.Job"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"batch","kind":"JobList","version":"v1"}]},"io.k8s.api.batch.v1.JobSpec":{"description":"JobSpec describes how the job execution will look like.","type":"object","required":["template"],"properties":{"activeDeadlineSeconds":{"description":"Specifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it; value must be positive integer. If a Job is suspended (at creation or through an update), this timer will effectively be stopped and reset when the Job is resumed again.","type":"integer","format":"int64"},"backoffLimit":{"description":"Specifies the number of retries before marking this job failed. Defaults to 6","type":"integer","format":"int32"},"backoffLimitPerIndex":{"description":"Specifies the limit for the number of retries within an index before marking this index as failed. When enabled the number of failures per index is kept in the pod's batch.kubernetes.io/job-index-failure-count annotation. It can only be set when Job's completionMode=Indexed, and the Pod's restart policy is Never. The field is immutable. This field is beta-level. It can be used when the `JobBackoffLimitPerIndex` feature gate is enabled (enabled by default).","type":"integer","format":"int32"},"completionMode":{"description":"completionMode specifies how Pod completions are tracked. It can be `NonIndexed` (default) or `Indexed`.\n\n`NonIndexed` means that the Job is considered complete when there have been .spec.completions successfully completed Pods. Each Pod completion is homologous to each other.\n\n`Indexed` means that the Pods of a Job get an associated completion index from 0 to (.spec.completions - 1), available in the annotation batch.kubernetes.io/job-completion-index. The Job is considered complete when there is one successfully completed Pod for each index. When value is `Indexed`, .spec.completions must be specified and `.spec.parallelism` must be less than or equal to 10^5. In addition, The Pod name takes the form `$(job-name)-$(index)-$(random-string)`, the Pod hostname takes the form `$(job-name)-$(index)`.\n\nMore completion modes can be added in the future. If the Job controller observes a mode that it doesn't recognize, which is possible during upgrades due to version skew, the controller skips updates for the Job.\n\nPossible enum values:\n - `\"Indexed\"` is a Job completion mode. In this mode, the Pods of a Job get an associated completion index from 0 to (.spec.completions - 1). The Job is considered complete when a Pod completes for each completion index.\n - `\"NonIndexed\"` is a Job completion mode. In this mode, the Job is considered complete when there have been .spec.completions successfully completed Pods. Pod completions are homologous to each other.","type":"string","enum":["Indexed","NonIndexed"]},"completions":{"description":"Specifies the desired number of successfully finished pods the job should be run with. Setting to null means that the success of any pod signals the success of all pods, and allows parallelism to have any positive value. Setting to 1 means that parallelism is limited to 1 and the success of that pod signals the success of the job. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/","type":"integer","format":"int32"},"managedBy":{"description":"ManagedBy field indicates the controller that manages a Job. The k8s Job controller reconciles jobs which don't have this field at all or the field value is the reserved string `kubernetes.io/job-controller`, but skips reconciling Jobs with a custom value for this field. The value must be a valid domain-prefixed path (e.g. acme.io/foo) - all characters before the first \"/\" must be a valid subdomain as defined by RFC 1123. All characters trailing the first \"/\" must be valid HTTP Path characters as defined by RFC 3986. The value cannot exceed 64 characters.\n\nThis field is alpha-level. The job controller accepts setting the field when the feature gate JobManagedBy is enabled (disabled by default).","type":"string"},"manualSelector":{"description":"manualSelector controls generation of pod labels and pod selectors. Leave `manualSelector` unset unless you are certain what you are doing. When false or unset, the system pick labels unique to this job and appends those labels to the pod template. When true, the user is responsible for picking unique labels and specifying the selector. Failure to pick a unique label may cause this and other jobs to not function correctly. However, You may see `manualSelector=true` in jobs that were created with the old `extensions/v1beta1` API. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-own-pod-selector","type":"boolean"},"maxFailedIndexes":{"description":"Specifies the maximal number of failed indexes before marking the Job as failed, when backoffLimitPerIndex is set. Once the number of failed indexes exceeds this number the entire Job is marked as Failed and its execution is terminated. When left as null the job continues execution of all of its indexes and is marked with the `Complete` Job condition. It can only be specified when backoffLimitPerIndex is set. It can be null or up to completions. It is required and must be less than or equal to 10^4 when is completions greater than 10^5. This field is beta-level. It can be used when the `JobBackoffLimitPerIndex` feature gate is enabled (enabled by default).","type":"integer","format":"int32"},"parallelism":{"description":"Specifies the maximum desired number of pods the job should run at any given time. The actual number of pods running in steady state will be less than this number when ((.spec.completions - .status.successful) < .spec.parallelism), i.e. when the work left to do is less than max parallelism. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/","type":"integer","format":"int32"},"podFailurePolicy":{"description":"Specifies the policy of handling failed pods. In particular, it allows to specify the set of actions and conditions which need to be satisfied to take the associated action. If empty, the default behaviour applies - the counter of failed pods, represented by the jobs's .status.failed field, is incremented and it is checked against the backoffLimit. This field cannot be used in combination with restartPolicy=OnFailure.\n\nThis field is beta-level. It can be used when the `JobPodFailurePolicy` feature gate is enabled (enabled by default).","$ref":"#/definitions/io.k8s.api.batch.v1.PodFailurePolicy"},"podReplacementPolicy":{"description":"podReplacementPolicy specifies when to create replacement Pods. Possible values are: - TerminatingOrFailed means that we recreate pods\n when they are terminating (has a metadata.deletionTimestamp) or failed.\n- Failed means to wait until a previously created Pod is fully terminated (has phase\n Failed or Succeeded) before creating a replacement Pod.\n\nWhen using podFailurePolicy, Failed is the the only allowed value. TerminatingOrFailed and Failed are allowed values when podFailurePolicy is not in use. This is an beta field. To use this, enable the JobPodReplacementPolicy feature toggle. This is on by default.\n\nPossible enum values:\n - `\"Failed\"` means to wait until a previously created Pod is fully terminated (has phase Failed or Succeeded) before creating a replacement Pod.\n - `\"TerminatingOrFailed\"` means that we recreate pods when they are terminating (has a metadata.deletionTimestamp) or failed.","type":"string","enum":["Failed","TerminatingOrFailed"]},"selector":{"description":"A label query over pods that should match the pod count. Normally, the system sets this field for you. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"successPolicy":{"description":"successPolicy specifies the policy when the Job can be declared as succeeded. If empty, the default behavior applies - the Job is declared as succeeded only when the number of succeeded pods equals to the completions. When the field is specified, it must be immutable and works only for the Indexed Jobs. Once the Job meets the SuccessPolicy, the lingering pods are terminated.\n\nThis field is alpha-level. To use this field, you must enable the `JobSuccessPolicy` feature gate (disabled by default).","$ref":"#/definitions/io.k8s.api.batch.v1.SuccessPolicy"},"suspend":{"description":"suspend specifies whether the Job controller should create Pods or not. If a Job is created with suspend set to true, no Pods are created by the Job controller. If a Job is suspended after creation (i.e. the flag goes from false to true), the Job controller will delete all active Pods associated with this Job. Users must design their workload to gracefully handle this. Suspending a Job will reset the StartTime field of the Job, effectively resetting the ActiveDeadlineSeconds timer too. Defaults to false.","type":"boolean"},"template":{"description":"Describes the pod that will be created when executing a job. The only allowed template.spec.restartPolicy values are \"Never\" or \"OnFailure\". More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/","$ref":"#/definitions/io.k8s.api.core.v1.PodTemplateSpec"},"ttlSecondsAfterFinished":{"description":"ttlSecondsAfterFinished limits the lifetime of a Job that has finished execution (either Complete or Failed). If this field is set, ttlSecondsAfterFinished after the Job finishes, it is eligible to be automatically deleted. When the Job is being deleted, its lifecycle guarantees (e.g. finalizers) will be honored. If this field is unset, the Job won't be automatically deleted. If this field is set to zero, the Job becomes eligible to be deleted immediately after it finishes.","type":"integer","format":"int32"}}},"io.k8s.api.batch.v1.JobStatus":{"description":"JobStatus represents the current state of a Job.","type":"object","properties":{"active":{"description":"The number of pending and running pods which are not terminating (without a deletionTimestamp). The value is zero for finished jobs.","type":"integer","format":"int32"},"completedIndexes":{"description":"completedIndexes holds the completed indexes when .spec.completionMode = \"Indexed\" in a text format. The indexes are represented as decimal integers separated by commas. The numbers are listed in increasing order. Three or more consecutive numbers are compressed and represented by the first and last element of the series, separated by a hyphen. For example, if the completed indexes are 1, 3, 4, 5 and 7, they are represented as \"1,3-5,7\".","type":"string"},"completionTime":{"description":"Represents time when the job was completed. It is not guaranteed to be set in happens-before order across separate operations. It is represented in RFC3339 form and is in UTC. The completion time is set when the job finishes successfully, and only then. The value cannot be updated or removed. The value indicates the same or later point in time as the startTime field.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"conditions":{"description":"The latest available observations of an object's current state. When a Job fails, one of the conditions will have type \"Failed\" and status true. When a Job is suspended, one of the conditions will have type \"Suspended\" and status true; when the Job is resumed, the status of this condition will become false. When a Job is completed, one of the conditions will have type \"Complete\" and status true.\n\nA job is considered finished when it is in a terminal condition, either \"Complete\" or \"Failed\". A Job cannot have both the \"Complete\" and \"Failed\" conditions. Additionally, it cannot be in the \"Complete\" and \"FailureTarget\" conditions. The \"Complete\", \"Failed\" and \"FailureTarget\" conditions cannot be disabled.\n\nMore info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/","type":"array","items":{"$ref":"#/definitions/io.k8s.api.batch.v1.JobCondition"},"x-kubernetes-list-type":"atomic","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"failed":{"description":"The number of pods which reached phase Failed. The value increases monotonically.","type":"integer","format":"int32"},"failedIndexes":{"description":"FailedIndexes holds the failed indexes when spec.backoffLimitPerIndex is set. The indexes are represented in the text format analogous as for the `completedIndexes` field, ie. they are kept as decimal integers separated by commas. The numbers are listed in increasing order. Three or more consecutive numbers are compressed and represented by the first and last element of the series, separated by a hyphen. For example, if the failed indexes are 1, 3, 4, 5 and 7, they are represented as \"1,3-5,7\". The set of failed indexes cannot overlap with the set of completed indexes.\n\nThis field is beta-level. It can be used when the `JobBackoffLimitPerIndex` feature gate is enabled (enabled by default).","type":"string"},"ready":{"description":"The number of pods which have a Ready condition.","type":"integer","format":"int32"},"startTime":{"description":"Represents time when the job controller started processing a job. When a Job is created in the suspended state, this field is not set until the first time it is resumed. This field is reset every time a Job is resumed from suspension. It is represented in RFC3339 form and is in UTC.\n\nOnce set, the field can only be removed when the job is suspended. The field cannot be modified while the job is unsuspended or finished.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"succeeded":{"description":"The number of pods which reached phase Succeeded. The value increases monotonically for a given spec. However, it may decrease in reaction to scale down of elastic indexed jobs.","type":"integer","format":"int32"},"terminating":{"description":"The number of pods which are terminating (in phase Pending or Running and have a deletionTimestamp).\n\nThis field is beta-level. The job controller populates the field when the feature gate JobPodReplacementPolicy is enabled (enabled by default).","type":"integer","format":"int32"},"uncountedTerminatedPods":{"description":"uncountedTerminatedPods holds the UIDs of Pods that have terminated but the job controller hasn't yet accounted for in the status counters.\n\nThe job controller creates pods with a finalizer. When a pod terminates (succeeded or failed), the controller does three steps to account for it in the job status:\n\n1. Add the pod UID to the arrays in this field. 2. Remove the pod finalizer. 3. Remove the pod UID from the arrays while increasing the corresponding\n counter.\n\nOld jobs might not be tracked using this field, in which case the field remains null. The structure is empty for finished jobs.","$ref":"#/definitions/io.k8s.api.batch.v1.UncountedTerminatedPods"}}},"io.k8s.api.batch.v1.JobTemplateSpec":{"description":"JobTemplateSpec describes the data a Job should have when created from a template","type":"object","properties":{"metadata":{"description":"Standard object's metadata of the jobs created from this template. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired behavior of the job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.batch.v1.JobSpec"}}},"io.k8s.api.batch.v1.PodFailurePolicy":{"description":"PodFailurePolicy describes how failed pods influence the backoffLimit.","type":"object","required":["rules"],"properties":{"rules":{"description":"A list of pod failure policy rules. The rules are evaluated in order. Once a rule matches a Pod failure, the remaining of the rules are ignored. When no rule matches the Pod failure, the default handling applies - the counter of pod failures is incremented and it is checked against the backoffLimit. At most 20 elements are allowed.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.batch.v1.PodFailurePolicyRule"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.batch.v1.PodFailurePolicyOnExitCodesRequirement":{"description":"PodFailurePolicyOnExitCodesRequirement describes the requirement for handling a failed pod based on its container exit codes. In particular, it lookups the .state.terminated.exitCode for each app container and init container status, represented by the .status.containerStatuses and .status.initContainerStatuses fields in the Pod status, respectively. Containers completed with success (exit code 0) are excluded from the requirement check.","type":"object","required":["operator","values"],"properties":{"containerName":{"description":"Restricts the check for exit codes to the container with the specified name. When null, the rule applies to all containers. When specified, it should match one the container or initContainer names in the pod template.","type":"string"},"operator":{"description":"Represents the relationship between the container exit code(s) and the specified values. Containers completed with success (exit code 0) are excluded from the requirement check. Possible values are:\n\n- In: the requirement is satisfied if at least one container exit code\n (might be multiple if there are multiple containers not restricted\n by the 'containerName' field) is in the set of specified values.\n- NotIn: the requirement is satisfied if at least one container exit code\n (might be multiple if there are multiple containers not restricted\n by the 'containerName' field) is not in the set of specified values.\nAdditional values are considered to be added in the future. Clients should react to an unknown operator by assuming the requirement is not satisfied.\n\nPossible enum values:\n - `\"In\"`\n - `\"NotIn\"`","type":"string","enum":["In","NotIn"]},"values":{"description":"Specifies the set of values. Each returned container exit code (might be multiple in case of multiple containers) is checked against this set of values with respect to the operator. The list of values must be ordered and must not contain duplicates. Value '0' cannot be used for the In operator. At least one element is required. At most 255 elements are allowed.","type":"array","items":{"type":"integer","format":"int32"},"x-kubernetes-list-type":"set"}}},"io.k8s.api.batch.v1.PodFailurePolicyOnPodConditionsPattern":{"description":"PodFailurePolicyOnPodConditionsPattern describes a pattern for matching an actual pod condition type.","type":"object","required":["type","status"],"properties":{"status":{"description":"Specifies the required Pod condition status. To match a pod condition it is required that the specified status equals the pod condition status. Defaults to True.","type":"string"},"type":{"description":"Specifies the required Pod condition type. To match a pod condition it is required that specified type equals the pod condition type.","type":"string"}}},"io.k8s.api.batch.v1.PodFailurePolicyRule":{"description":"PodFailurePolicyRule describes how a pod failure is handled when the requirements are met. One of onExitCodes and onPodConditions, but not both, can be used in each rule.","type":"object","required":["action"],"properties":{"action":{"description":"Specifies the action taken on a pod failure when the requirements are satisfied. Possible values are:\n\n- FailJob: indicates that the pod's job is marked as Failed and all\n running pods are terminated.\n- FailIndex: indicates that the pod's index is marked as Failed and will\n not be restarted.\n This value is beta-level. It can be used when the\n `JobBackoffLimitPerIndex` feature gate is enabled (enabled by default).\n- Ignore: indicates that the counter towards the .backoffLimit is not\n incremented and a replacement pod is created.\n- Count: indicates that the pod is handled in the default way - the\n counter towards the .backoffLimit is incremented.\nAdditional values are considered to be added in the future. Clients should react to an unknown action by skipping the rule.\n\nPossible enum values:\n - `\"Count\"` This is an action which might be taken on a pod failure - the pod failure is handled in the default way - the counter towards .backoffLimit, represented by the job's .status.failed field, is incremented.\n - `\"FailIndex\"` This is an action which might be taken on a pod failure - mark the Job's index as failed to avoid restarts within this index. This action can only be used when backoffLimitPerIndex is set. This value is beta-level.\n - `\"FailJob\"` This is an action which might be taken on a pod failure - mark the pod's job as Failed and terminate all running pods.\n - `\"Ignore\"` This is an action which might be taken on a pod failure - the counter towards .backoffLimit, represented by the job's .status.failed field, is not incremented and a replacement pod is created.","type":"string","enum":["Count","FailIndex","FailJob","Ignore"]},"onExitCodes":{"description":"Represents the requirement on the container exit codes.","$ref":"#/definitions/io.k8s.api.batch.v1.PodFailurePolicyOnExitCodesRequirement"},"onPodConditions":{"description":"Represents the requirement on the pod conditions. The requirement is represented as a list of pod condition patterns. The requirement is satisfied if at least one pattern matches an actual pod condition. At most 20 elements are allowed.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.batch.v1.PodFailurePolicyOnPodConditionsPattern"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.batch.v1.SuccessPolicy":{"description":"SuccessPolicy describes when a Job can be declared as succeeded based on the success of some indexes.","type":"object","required":["rules"],"properties":{"rules":{"description":"rules represents the list of alternative rules for the declaring the Jobs as successful before `.status.succeeded >= .spec.completions`. Once any of the rules are met, the \"SucceededCriteriaMet\" condition is added, and the lingering pods are removed. The terminal state for such a Job has the \"Complete\" condition. Additionally, these rules are evaluated in order; Once the Job meets one of the rules, other rules are ignored. At most 20 elements are allowed.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.batch.v1.SuccessPolicyRule"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.batch.v1.SuccessPolicyRule":{"description":"SuccessPolicyRule describes rule for declaring a Job as succeeded. Each rule must have at least one of the \"succeededIndexes\" or \"succeededCount\" specified.","type":"object","properties":{"succeededCount":{"description":"succeededCount specifies the minimal required size of the actual set of the succeeded indexes for the Job. When succeededCount is used along with succeededIndexes, the check is constrained only to the set of indexes specified by succeededIndexes. For example, given that succeededIndexes is \"1-4\", succeededCount is \"3\", and completed indexes are \"1\", \"3\", and \"5\", the Job isn't declared as succeeded because only \"1\" and \"3\" indexes are considered in that rules. When this field is null, this doesn't default to any value and is never evaluated at any time. When specified it needs to be a positive integer.","type":"integer","format":"int32"},"succeededIndexes":{"description":"succeededIndexes specifies the set of indexes which need to be contained in the actual set of the succeeded indexes for the Job. The list of indexes must be within 0 to \".spec.completions-1\" and must not contain duplicates. At least one element is required. The indexes are represented as intervals separated by commas. The intervals can be a decimal integer or a pair of decimal integers separated by a hyphen. The number are listed in represented by the first and last element of the series, separated by a hyphen. For example, if the completed indexes are 1, 3, 4, 5 and 7, they are represented as \"1,3-5,7\". When this field is null, this field doesn't default to any value and is never evaluated at any time.","type":"string"}}},"io.k8s.api.batch.v1.UncountedTerminatedPods":{"description":"UncountedTerminatedPods holds UIDs of Pods that have terminated but haven't been accounted in Job status counters.","type":"object","properties":{"failed":{"description":"failed holds UIDs of failed Pods.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"succeeded":{"description":"succeeded holds UIDs of succeeded Pods.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"}}},"io.k8s.api.certificates.v1.CertificateSigningRequest":{"description":"CertificateSigningRequest objects provide a mechanism to obtain x509 certificates by submitting a certificate signing request, and having it asynchronously approved and issued.\n\nKubelets use this API to obtain:\n 1. client certificates to authenticate to kube-apiserver (with the \"kubernetes.io/kube-apiserver-client-kubelet\" signerName).\n 2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the \"kubernetes.io/kubelet-serving\" signerName).\n\nThis API can be used to request client certificates to authenticate to kube-apiserver (with the \"kubernetes.io/kube-apiserver-client\" signerName), or to obtain certificates from custom non-Kubernetes signers.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec contains the certificate request, and is immutable after creation. Only the request, signerName, expirationSeconds, and usages fields can be set on creation. Other fields are derived by Kubernetes and cannot be modified by users.","$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestSpec"},"status":{"description":"status contains information about whether the request is approved or denied, and the certificate issued by the signer, or the failure condition indicating signer failure.","$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestStatus"}},"x-kubernetes-group-version-kind":[{"group":"certificates.k8s.io","kind":"CertificateSigningRequest","version":"v1"}]},"io.k8s.api.certificates.v1.CertificateSigningRequestCondition":{"description":"CertificateSigningRequestCondition describes a condition of a CertificateSigningRequest object","type":"object","required":["type","status"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the time the condition last transitioned from one status to another. If unset, when a new condition type is added or an existing condition's status is changed, the server defaults this to the current time.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"lastUpdateTime":{"description":"lastUpdateTime is the time of the last update to this condition","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"message contains a human readable message with details about the request state","type":"string"},"reason":{"description":"reason indicates a brief reason for the request state","type":"string"},"status":{"description":"status of the condition, one of True, False, Unknown. Approved, Denied, and Failed conditions may not be \"False\" or \"Unknown\".","type":"string"},"type":{"description":"type of the condition. Known conditions are \"Approved\", \"Denied\", and \"Failed\".\n\nAn \"Approved\" condition is added via the /approval subresource, indicating the request was approved and should be issued by the signer.\n\nA \"Denied\" condition is added via the /approval subresource, indicating the request was denied and should not be issued by the signer.\n\nA \"Failed\" condition is added via the /status subresource, indicating the signer failed to issue the certificate.\n\nApproved and Denied conditions are mutually exclusive. Approved, Denied, and Failed conditions cannot be removed once added.\n\nOnly one condition of a given type is allowed.","type":"string"}}},"io.k8s.api.certificates.v1.CertificateSigningRequestList":{"description":"CertificateSigningRequestList is a collection of CertificateSigningRequest objects","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is a collection of CertificateSigningRequest objects","type":"array","items":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"certificates.k8s.io","kind":"CertificateSigningRequestList","version":"v1"}]},"io.k8s.api.certificates.v1.CertificateSigningRequestSpec":{"description":"CertificateSigningRequestSpec contains the certificate request.","type":"object","required":["request","signerName"],"properties":{"expirationSeconds":{"description":"expirationSeconds is the requested duration of validity of the issued certificate. The certificate signer may issue a certificate with a different validity duration so a client must check the delta between the notBefore and and notAfter fields in the issued certificate to determine the actual duration.\n\nThe v1.22+ in-tree implementations of the well-known Kubernetes signers will honor this field as long as the requested duration is not greater than the maximum duration they will honor per the --cluster-signing-duration CLI flag to the Kubernetes controller manager.\n\nCertificate signers may not honor this field for various reasons:\n\n 1. Old signer that is unaware of the field (such as the in-tree\n implementations prior to v1.22)\n 2. Signer whose configured maximum is shorter than the requested duration\n 3. Signer whose configured minimum is longer than the requested duration\n\nThe minimum valid value for expirationSeconds is 600, i.e. 10 minutes.","type":"integer","format":"int32"},"extra":{"description":"extra contains extra attributes of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.","type":"object","additionalProperties":{"type":"array","items":{"type":"string"}}},"groups":{"description":"groups contains group membership of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"request":{"description":"request contains an x509 certificate signing request encoded in a \"CERTIFICATE REQUEST\" PEM block. When serialized as JSON or YAML, the data is additionally base64-encoded.","type":"string","format":"byte","x-kubernetes-list-type":"atomic"},"signerName":{"description":"signerName indicates the requested signer, and is a qualified name.\n\nList/watch requests for CertificateSigningRequests can filter on this field using a \"spec.signerName=NAME\" fieldSelector.\n\nWell-known Kubernetes signers are:\n 1. \"kubernetes.io/kube-apiserver-client\": issues client certificates that can be used to authenticate to kube-apiserver.\n Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the \"csrsigning\" controller in kube-controller-manager.\n 2. \"kubernetes.io/kube-apiserver-client-kubelet\": issues client certificates that kubelets use to authenticate to kube-apiserver.\n Requests for this signer can be auto-approved by the \"csrapproving\" controller in kube-controller-manager, and can be issued by the \"csrsigning\" controller in kube-controller-manager.\n 3. \"kubernetes.io/kubelet-serving\" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely.\n Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the \"csrsigning\" controller in kube-controller-manager.\n\nMore details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers\n\nCustom signerNames can also be specified. The signer defines:\n 1. Trust distribution: how trust (CA bundles) are distributed.\n 2. Permitted subjects: and behavior when a disallowed subject is requested.\n 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.\n 4. Required, permitted, or forbidden key usages / extended key usages.\n 5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.\n 6. Whether or not requests for CA certificates are allowed.","type":"string"},"uid":{"description":"uid contains the uid of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.","type":"string"},"usages":{"description":"usages specifies a set of key usages requested in the issued certificate.\n\nRequests for TLS client certificates typically request: \"digital signature\", \"key encipherment\", \"client auth\".\n\nRequests for TLS serving certificates typically request: \"key encipherment\", \"digital signature\", \"server auth\".\n\nValid values are:\n \"signing\", \"digital signature\", \"content commitment\",\n \"key encipherment\", \"key agreement\", \"data encipherment\",\n \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\",\n \"server auth\", \"client auth\",\n \"code signing\", \"email protection\", \"s/mime\",\n \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\",\n \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"","type":"array","items":{"type":"string","enum":["any","cert sign","client auth","code signing","content commitment","crl sign","data encipherment","decipher only","digital signature","email protection","encipher only","ipsec end system","ipsec tunnel","ipsec user","key agreement","key encipherment","microsoft sgc","netscape sgc","ocsp signing","s/mime","server auth","signing","timestamping"]},"x-kubernetes-list-type":"atomic"},"username":{"description":"username contains the name of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.","type":"string"}}},"io.k8s.api.certificates.v1.CertificateSigningRequestStatus":{"description":"CertificateSigningRequestStatus contains conditions used to indicate approved/denied/failed status of the request, and the issued certificate.","type":"object","properties":{"certificate":{"description":"certificate is populated with an issued certificate by the signer after an Approved condition is present. This field is set via the /status subresource. Once populated, this field is immutable.\n\nIf the certificate signing request is denied, a condition of type \"Denied\" is added and this field remains empty. If the signer cannot issue the certificate, a condition of type \"Failed\" is added and this field remains empty.\n\nValidation requirements:\n 1. certificate must contain one or more PEM blocks.\n 2. All PEM blocks must have the \"CERTIFICATE\" label, contain no headers, and the encoded data\n must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280.\n 3. Non-PEM content may appear before or after the \"CERTIFICATE\" PEM blocks and is unvalidated,\n to allow for explanatory text as described in section 5.2 of RFC7468.\n\nIf more than one PEM block is present, and the definition of the requested spec.signerName does not indicate otherwise, the first block is the issued certificate, and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes.\n\nThe certificate is encoded in PEM format.\n\nWhen serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of:\n\n base64(\n -----BEGIN CERTIFICATE-----\n ...\n -----END CERTIFICATE-----\n )","type":"string","format":"byte","x-kubernetes-list-type":"atomic"},"conditions":{"description":"conditions applied to the request. Known conditions are \"Approved\", \"Denied\", and \"Failed\".","type":"array","items":{"$ref":"#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"}}},"io.k8s.api.coordination.v1.Lease":{"description":"Lease defines a lease concept.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec contains the specification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.coordination.v1.LeaseSpec"}},"x-kubernetes-group-version-kind":[{"group":"coordination.k8s.io","kind":"Lease","version":"v1"}]},"io.k8s.api.coordination.v1.LeaseList":{"description":"LeaseList is a list of Lease objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is a list of schema objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.coordination.v1.Lease"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"coordination.k8s.io","kind":"LeaseList","version":"v1"}]},"io.k8s.api.coordination.v1.LeaseSpec":{"description":"LeaseSpec is a specification of a Lease.","type":"object","properties":{"acquireTime":{"description":"acquireTime is a time when the current lease was acquired.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"},"holderIdentity":{"description":"holderIdentity contains the identity of the holder of a current lease.","type":"string"},"leaseDurationSeconds":{"description":"leaseDurationSeconds is a duration that candidates for a lease need to wait to force acquire it. This is measure against time of last observed renewTime.","type":"integer","format":"int32"},"leaseTransitions":{"description":"leaseTransitions is the number of transitions of a lease between holders.","type":"integer","format":"int32"},"renewTime":{"description":"renewTime is a time when the current holder of a lease has last updated the lease.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"}}},"io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource":{"description":"Represents a Persistent Disk resource in AWS.\n\nAn AWS EBS disk must exist before mounting to a container. The disk must also be in the same AWS zone as the kubelet. An AWS EBS disk can only be mounted as read/write once. AWS EBS volumes support ownership management and SELinux relabeling.","type":"object","required":["volumeID"],"properties":{"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"string"},"partition":{"description":"partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as \"1\". Similarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty).","type":"integer","format":"int32"},"readOnly":{"description":"readOnly value true will force the readOnly setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"boolean"},"volumeID":{"description":"volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","type":"string"}}},"io.k8s.api.core.v1.Affinity":{"description":"Affinity is a group of affinity scheduling rules.","type":"object","properties":{"nodeAffinity":{"description":"Describes node affinity scheduling rules for the pod.","$ref":"#/definitions/io.k8s.api.core.v1.NodeAffinity"},"podAffinity":{"description":"Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).","$ref":"#/definitions/io.k8s.api.core.v1.PodAffinity"},"podAntiAffinity":{"description":"Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).","$ref":"#/definitions/io.k8s.api.core.v1.PodAntiAffinity"}}},"io.k8s.api.core.v1.AppArmorProfile":{"description":"AppArmorProfile defines a pod or container's AppArmor settings.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile loaded on the node that should be used. The profile must be preconfigured on the node to work. Must match the loaded name of the profile. Must be set if and only if type is \"Localhost\".","type":"string"},"type":{"description":"type indicates which kind of AppArmor profile will be applied. Valid options are:\n Localhost - a profile pre-loaded on the node.\n RuntimeDefault - the container runtime's default profile.\n Unconfined - no AppArmor enforcement.\n\nPossible enum values:\n - `\"Localhost\"` indicates that a profile pre-loaded on the node should be used.\n - `\"RuntimeDefault\"` indicates that the container runtime's default AppArmor profile should be used.\n - `\"Unconfined\"` indicates that no AppArmor profile should be enforced.","type":"string","enum":["Localhost","RuntimeDefault","Unconfined"]}},"x-kubernetes-unions":[{"discriminator":"type","fields-to-discriminateBy":{"localhostProfile":"LocalhostProfile"}}]},"io.k8s.api.core.v1.AttachedVolume":{"description":"AttachedVolume describes a volume attached to a node","type":"object","required":["name","devicePath"],"properties":{"devicePath":{"description":"DevicePath represents the device path where the volume should be available","type":"string"},"name":{"description":"Name of the attached volume","type":"string"}}},"io.k8s.api.core.v1.AzureDiskVolumeSource":{"description":"AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.","type":"object","required":["diskName","diskURI"],"properties":{"cachingMode":{"description":"cachingMode is the Host Caching mode: None, Read Only, Read Write.\n\nPossible enum values:\n - `\"None\"`\n - `\"ReadOnly\"`\n - `\"ReadWrite\"`","type":"string","enum":["None","ReadOnly","ReadWrite"]},"diskName":{"description":"diskName is the Name of the data disk in the blob storage","type":"string"},"diskURI":{"description":"diskURI is the URI of data disk in the blob storage","type":"string"},"fsType":{"description":"fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"kind":{"description":"kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared\n\nPossible enum values:\n - `\"Dedicated\"`\n - `\"Managed\"`\n - `\"Shared\"`","type":"string","enum":["Dedicated","Managed","Shared"]},"readOnly":{"description":"readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"}}},"io.k8s.api.core.v1.AzureFilePersistentVolumeSource":{"description":"AzureFile represents an Azure File Service mount on the host and bind mount to the pod.","type":"object","required":["secretName","shareName"],"properties":{"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"secretName":{"description":"secretName is the name of secret that contains Azure Storage Account Name and Key","type":"string"},"secretNamespace":{"description":"secretNamespace is the namespace of the secret that contains Azure Storage Account Name and Key default is the same as the Pod","type":"string"},"shareName":{"description":"shareName is the azure Share Name","type":"string"}}},"io.k8s.api.core.v1.AzureFileVolumeSource":{"description":"AzureFile represents an Azure File Service mount on the host and bind mount to the pod.","type":"object","required":["secretName","shareName"],"properties":{"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"secretName":{"description":"secretName is the name of secret that contains Azure Storage Account Name and Key","type":"string"},"shareName":{"description":"shareName is the azure share Name","type":"string"}}},"io.k8s.api.core.v1.Binding":{"description":"Binding ties one object to another; for example, a pod is bound to a node by a scheduler. Deprecated in 1.7, please use the bindings subresource of pods instead.","type":"object","required":["target"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"target":{"description":"The target object that you want to bind to the standard object.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"Binding","version":"v1"}]},"io.k8s.api.core.v1.CSIPersistentVolumeSource":{"description":"Represents storage that is managed by an external CSI volume driver (Beta feature)","type":"object","required":["driver","volumeHandle"],"properties":{"controllerExpandSecretRef":{"description":"controllerExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerExpandVolume call. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"},"controllerPublishSecretRef":{"description":"controllerPublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerPublishVolume and ControllerUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"},"driver":{"description":"driver is the name of the driver to use for this volume. Required.","type":"string"},"fsType":{"description":"fsType to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\".","type":"string"},"nodeExpandSecretRef":{"description":"nodeExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodeExpandVolume call. This field is optional, may be omitted if no secret is required. If the secret object contains more than one secret, all secrets are passed.","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"},"nodePublishSecretRef":{"description":"nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"},"nodeStageSecretRef":{"description":"nodeStageSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodeStageVolume and NodeStageVolume and NodeUnstageVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"},"readOnly":{"description":"readOnly value to pass to ControllerPublishVolumeRequest. Defaults to false (read/write).","type":"boolean"},"volumeAttributes":{"description":"volumeAttributes of the volume to publish.","type":"object","additionalProperties":{"type":"string"}},"volumeHandle":{"description":"volumeHandle is the unique volume name returned by the CSI volume plugin’s CreateVolume to refer to the volume on all subsequent calls. Required.","type":"string"}}},"io.k8s.api.core.v1.CSIVolumeSource":{"description":"Represents a source location of a volume to mount, managed by an external CSI driver","type":"object","required":["driver"],"properties":{"driver":{"description":"driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster.","type":"string"},"fsType":{"description":"fsType to mount. Ex. \"ext4\", \"xfs\", \"ntfs\". If not provided, the empty value is passed to the associated CSI driver which will determine the default filesystem to apply.","type":"string"},"nodePublishSecretRef":{"description":"nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secret references are passed.","$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference"},"readOnly":{"description":"readOnly specifies a read-only configuration for the volume. Defaults to false (read/write).","type":"boolean"},"volumeAttributes":{"description":"volumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values.","type":"object","additionalProperties":{"type":"string"}}}},"io.k8s.api.core.v1.Capabilities":{"description":"Adds and removes POSIX capabilities from running containers.","type":"object","properties":{"add":{"description":"Added capabilities","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"drop":{"description":"Removed capabilities","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.core.v1.CephFSPersistentVolumeSource":{"description":"Represents a Ceph Filesystem mount that lasts the lifetime of a pod Cephfs volumes do not support ownership management or SELinux relabeling.","type":"object","required":["monitors"],"properties":{"monitors":{"description":"monitors is Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"path":{"description":"path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /","type":"string"},"readOnly":{"description":"readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"boolean"},"secretFile":{"description":"secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"string"},"secretRef":{"description":"secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"},"user":{"description":"user is Optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"string"}}},"io.k8s.api.core.v1.CephFSVolumeSource":{"description":"Represents a Ceph Filesystem mount that lasts the lifetime of a pod Cephfs volumes do not support ownership management or SELinux relabeling.","type":"object","required":["monitors"],"properties":{"monitors":{"description":"monitors is Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"path":{"description":"path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /","type":"string"},"readOnly":{"description":"readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"boolean"},"secretFile":{"description":"secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"string"},"secretRef":{"description":"secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference"},"user":{"description":"user is optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it","type":"string"}}},"io.k8s.api.core.v1.CinderPersistentVolumeSource":{"description":"Represents a cinder volume resource in Openstack. A Cinder volume must exist before mounting to a container. The volume must also be in the same region as the kubelet. Cinder volumes support ownership management and SELinux relabeling.","type":"object","required":["volumeID"],"properties":{"fsType":{"description":"fsType Filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"string"},"readOnly":{"description":"readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"boolean"},"secretRef":{"description":"secretRef is Optional: points to a secret object containing parameters used to connect to OpenStack.","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"},"volumeID":{"description":"volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"string"}}},"io.k8s.api.core.v1.CinderVolumeSource":{"description":"Represents a cinder volume resource in Openstack. A Cinder volume must exist before mounting to a container. The volume must also be in the same region as the kubelet. Cinder volumes support ownership management and SELinux relabeling.","type":"object","required":["volumeID"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"boolean"},"secretRef":{"description":"secretRef is optional: points to a secret object containing parameters used to connect to OpenStack.","$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference"},"volumeID":{"description":"volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md","type":"string"}}},"io.k8s.api.core.v1.ClaimSource":{"description":"ClaimSource describes a reference to a ResourceClaim.\n\nExactly one of these fields should be set. Consumers of this type must treat an empty object as if it has an unknown value.","type":"object","properties":{"resourceClaimName":{"description":"ResourceClaimName is the name of a ResourceClaim object in the same namespace as this pod.","type":"string"},"resourceClaimTemplateName":{"description":"ResourceClaimTemplateName is the name of a ResourceClaimTemplate object in the same namespace as this pod.\n\nThe template will be used to create a new ResourceClaim, which will be bound to this pod. When this pod is deleted, the ResourceClaim will also be deleted. The pod name and resource name, along with a generated component, will be used to form a unique name for the ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses.\n\nThis field is immutable and no changes will be made to the corresponding ResourceClaim by the control plane after creating the ResourceClaim.","type":"string"}}},"io.k8s.api.core.v1.ClientIPConfig":{"description":"ClientIPConfig represents the configurations of Client IP based session affinity.","type":"object","properties":{"timeoutSeconds":{"description":"timeoutSeconds specifies the seconds of ClientIP type session sticky time. The value must be >0 && <=86400(for 1 day) if ServiceAffinity == \"ClientIP\". Default value is 10800(for 3 hours).","type":"integer","format":"int32"}}},"io.k8s.api.core.v1.ClusterTrustBundleProjection":{"description":"ClusterTrustBundleProjection describes how to select a set of ClusterTrustBundle objects and project their contents into the pod filesystem.","type":"object","required":["path"],"properties":{"labelSelector":{"description":"Select all ClusterTrustBundles that match this label selector. Only has effect if signerName is set. Mutually-exclusive with name. If unset, interpreted as \"match nothing\". If set but empty, interpreted as \"match everything\".","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"name":{"description":"Select a single ClusterTrustBundle by object name. Mutually-exclusive with signerName and labelSelector.","type":"string"},"optional":{"description":"If true, don't block pod startup if the referenced ClusterTrustBundle(s) aren't available. If using name, then the named ClusterTrustBundle is allowed not to exist. If using signerName, then the combination of signerName and labelSelector is allowed to match zero ClusterTrustBundles.","type":"boolean"},"path":{"description":"Relative path from the volume root to write the bundle.","type":"string"},"signerName":{"description":"Select all ClusterTrustBundles that match this signer name. Mutually-exclusive with name. The contents of all selected ClusterTrustBundles will be unified and deduplicated.","type":"string"}}},"io.k8s.api.core.v1.ComponentCondition":{"description":"Information about the condition of a component.","type":"object","required":["type","status"],"properties":{"error":{"description":"Condition error code for a component. For example, a health check error code.","type":"string"},"message":{"description":"Message about the condition for a component. For example, information about a health check.","type":"string"},"status":{"description":"Status of the condition for a component. Valid values for \"Healthy\": \"True\", \"False\", or \"Unknown\".","type":"string"},"type":{"description":"Type of condition for a component. Valid value: \"Healthy\"","type":"string"}}},"io.k8s.api.core.v1.ComponentStatus":{"description":"ComponentStatus (and ComponentStatusList) holds the cluster validation info. Deprecated: This API is deprecated in v1.19+","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"conditions":{"description":"List of component conditions observed","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ComponentCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ComponentStatus","version":"v1"}]},"io.k8s.api.core.v1.ComponentStatusList":{"description":"Status of all the conditions for the component as a list of ComponentStatus objects. Deprecated: This API is deprecated in v1.19+","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of ComponentStatus objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ComponentStatus"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ComponentStatusList","version":"v1"}]},"io.k8s.api.core.v1.ConfigMap":{"description":"ConfigMap holds configuration data for pods to consume.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"binaryData":{"description":"BinaryData contains the binary data. Each key must consist of alphanumeric characters, '-', '_' or '.'. BinaryData can contain byte sequences that are not in the UTF-8 range. The keys stored in BinaryData must not overlap with the ones in the Data field, this is enforced during validation process. Using this field will require 1.10+ apiserver and kubelet.","type":"object","additionalProperties":{"type":"string","format":"byte"}},"data":{"description":"Data contains the configuration data. Each key must consist of alphanumeric characters, '-', '_' or '.'. Values with non-UTF-8 byte sequences must use the BinaryData field. The keys stored in Data must not overlap with the keys in the BinaryData field, this is enforced during validation process.","type":"object","additionalProperties":{"type":"string"}},"immutable":{"description":"Immutable, if set to true, ensures that data stored in the ConfigMap cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil.","type":"boolean"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ConfigMap","version":"v1"}]},"io.k8s.api.core.v1.ConfigMapEnvSource":{"description":"ConfigMapEnvSource selects a ConfigMap to populate the environment variables with.\n\nThe contents of the target ConfigMap's Data field will represent the key-value pairs as environment variables.","type":"object","properties":{"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap must be defined","type":"boolean"}}},"io.k8s.api.core.v1.ConfigMapKeySelector":{"description":"Selects a key from a ConfigMap.","type":"object","required":["key"],"properties":{"key":{"description":"The key to select.","type":"string"},"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.core.v1.ConfigMapList":{"description":"ConfigMapList is a resource containing a list of ConfigMap objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of ConfigMaps.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ConfigMap"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ConfigMapList","version":"v1"}]},"io.k8s.api.core.v1.ConfigMapNodeConfigSource":{"description":"ConfigMapNodeConfigSource contains the information to reference a ConfigMap as a config source for the Node. This API is deprecated since 1.22: https://git.k8s.io/enhancements/keps/sig-node/281-dynamic-kubelet-configuration","type":"object","required":["namespace","name","kubeletConfigKey"],"properties":{"kubeletConfigKey":{"description":"KubeletConfigKey declares which key of the referenced ConfigMap corresponds to the KubeletConfiguration structure This field is required in all cases.","type":"string"},"name":{"description":"Name is the metadata.name of the referenced ConfigMap. This field is required in all cases.","type":"string"},"namespace":{"description":"Namespace is the metadata.namespace of the referenced ConfigMap. This field is required in all cases.","type":"string"},"resourceVersion":{"description":"ResourceVersion is the metadata.ResourceVersion of the referenced ConfigMap. This field is forbidden in Node.Spec, and required in Node.Status.","type":"string"},"uid":{"description":"UID is the metadata.UID of the referenced ConfigMap. This field is forbidden in Node.Spec, and required in Node.Status.","type":"string"}}},"io.k8s.api.core.v1.ConfigMapProjection":{"description":"Adapts a ConfigMap into a projected volume.\n\nThe contents of the target ConfigMap's Data field will be presented in a projected volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. Note that this is identical to a configmap volume source without the default mode.","type":"object","properties":{"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.KeyToPath"},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"optional specify whether the ConfigMap or its keys must be defined","type":"boolean"}}},"io.k8s.api.core.v1.ConfigMapVolumeSource":{"description":"Adapts a ConfigMap into a volume.\n\nThe contents of the target ConfigMap's Data field will be presented in a volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. ConfigMap volumes support ownership management and SELinux relabeling.","type":"object","properties":{"defaultMode":{"description":"defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.KeyToPath"},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"optional specify whether the ConfigMap or its keys must be defined","type":"boolean"}}},"io.k8s.api.core.v1.Container":{"description":"A single application container that you want to run within a pod.","type":"object","required":["name"],"properties":{"args":{"description":"Arguments to the entrypoint. The container image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"command":{"description":"Entrypoint array. Not executed within a shell. The container image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"env":{"description":"List of environment variables to set in the container. Cannot be updated.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.EnvVar"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"envFrom":{"description":"List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.EnvFromSource"},"x-kubernetes-list-type":"atomic"},"image":{"description":"Container image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.","type":"string"},"imagePullPolicy":{"description":"Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images\n\nPossible enum values:\n - `\"Always\"` means that kubelet always attempts to pull the latest image. Container will fail If the pull fails.\n - `\"IfNotPresent\"` means that kubelet pulls if the image isn't present on disk. Container will fail if the image isn't present and the pull fails.\n - `\"Never\"` means that kubelet never pulls an image, but only uses a local image. Container will fail if the image isn't present","type":"string","enum":["Always","IfNotPresent","Never"]},"lifecycle":{"description":"Actions that the management system should take in response to container lifecycle events. Cannot be updated.","$ref":"#/definitions/io.k8s.api.core.v1.Lifecycle"},"livenessProbe":{"description":"Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","$ref":"#/definitions/io.k8s.api.core.v1.Probe"},"name":{"description":"Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated.","type":"string"},"ports":{"description":"List of ports to expose from the container. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default \"0.0.0.0\" address inside a container will be accessible from the network. Modifying this array with strategic merge patch may corrupt the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. Cannot be updated.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerPort"},"x-kubernetes-list-map-keys":["containerPort","protocol"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"containerPort","x-kubernetes-patch-strategy":"merge"},"readinessProbe":{"description":"Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","$ref":"#/definitions/io.k8s.api.core.v1.Probe"},"resizePolicy":{"description":"Resources resize policy for the container.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerResizePolicy"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","$ref":"#/definitions/io.k8s.api.core.v1.ResourceRequirements"},"restartPolicy":{"description":"RestartPolicy defines the restart behavior of individual containers in a pod. This field may only be set for init containers, and the only allowed value is \"Always\". For non-init containers or when this field is not specified, the restart behavior is defined by the Pod's restart policy and the container type. Setting the RestartPolicy as \"Always\" for the init container will have the following effect: this init container will be continually restarted on exit until all regular containers have terminated. Once all regular containers have completed, all init containers with restartPolicy \"Always\" will be shut down. This lifecycle differs from normal init containers and is often referred to as a \"sidecar\" container. Although this init container still starts in the init container sequence, it does not wait for the container to complete before proceeding to the next init container. Instead, the next init container starts immediately after this init container is started, or after any startupProbe has successfully completed.","type":"string"},"securityContext":{"description":"SecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","$ref":"#/definitions/io.k8s.api.core.v1.SecurityContext"},"startupProbe":{"description":"StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","$ref":"#/definitions/io.k8s.api.core.v1.Probe"},"stdin":{"description":"Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.","type":"boolean"},"stdinOnce":{"description":"Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false","type":"boolean"},"terminationMessagePath":{"description":"Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.","type":"string"},"terminationMessagePolicy":{"description":"Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.\n\nPossible enum values:\n - `\"FallbackToLogsOnError\"` will read the most recent contents of the container logs for the container status message when the container exits with an error and the terminationMessagePath has no contents.\n - `\"File\"` is the default behavior and will set the container status message to the contents of the container's terminationMessagePath when the container exits.","type":"string","enum":["FallbackToLogsOnError","File"]},"tty":{"description":"Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false.","type":"boolean"},"volumeDevices":{"description":"volumeDevices is the list of block devices to be used by the container.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.VolumeDevice"},"x-kubernetes-list-map-keys":["devicePath"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"devicePath","x-kubernetes-patch-strategy":"merge"},"volumeMounts":{"description":"Pod volumes to mount into the container's filesystem. Cannot be updated.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.VolumeMount"},"x-kubernetes-list-map-keys":["mountPath"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"mountPath","x-kubernetes-patch-strategy":"merge"},"workingDir":{"description":"Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.","type":"string"}}},"io.k8s.api.core.v1.ContainerImage":{"description":"Describe a container image","type":"object","properties":{"names":{"description":"Names by which this image is known. e.g. [\"kubernetes.example/hyperkube:v1.0.7\", \"cloud-vendor.registry.example/cloud-vendor/hyperkube:v1.0.7\"]","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"sizeBytes":{"description":"The size of the image in bytes.","type":"integer","format":"int64"}}},"io.k8s.api.core.v1.ContainerPort":{"description":"ContainerPort represents a network port in a single container.","type":"object","required":["containerPort"],"properties":{"containerPort":{"description":"Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536.","type":"integer","format":"int32"},"hostIP":{"description":"What host IP to bind the external port to.","type":"string"},"hostPort":{"description":"Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this.","type":"integer","format":"int32"},"name":{"description":"If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.","type":"string"},"protocol":{"description":"Protocol for port. Must be UDP, TCP, or SCTP. Defaults to \"TCP\".\n\nPossible enum values:\n - `\"SCTP\"` is the SCTP protocol.\n - `\"TCP\"` is the TCP protocol.\n - `\"UDP\"` is the UDP protocol.","type":"string","enum":["SCTP","TCP","UDP"]}}},"io.k8s.api.core.v1.ContainerResizePolicy":{"description":"ContainerResizePolicy represents resource resize policy for the container.","type":"object","required":["resourceName","restartPolicy"],"properties":{"resourceName":{"description":"Name of the resource to which this resource resize policy applies. Supported values: cpu, memory.","type":"string"},"restartPolicy":{"description":"Restart policy to apply when specified resource is resized. If not specified, it defaults to NotRequired.","type":"string"}}},"io.k8s.api.core.v1.ContainerState":{"description":"ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.","type":"object","properties":{"running":{"description":"Details about a running container","$ref":"#/definitions/io.k8s.api.core.v1.ContainerStateRunning"},"terminated":{"description":"Details about a terminated container","$ref":"#/definitions/io.k8s.api.core.v1.ContainerStateTerminated"},"waiting":{"description":"Details about a waiting container","$ref":"#/definitions/io.k8s.api.core.v1.ContainerStateWaiting"}}},"io.k8s.api.core.v1.ContainerStateRunning":{"description":"ContainerStateRunning is a running state of a container.","type":"object","properties":{"startedAt":{"description":"Time at which the container was last (re-)started","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"}}},"io.k8s.api.core.v1.ContainerStateTerminated":{"description":"ContainerStateTerminated is a terminated state of a container.","type":"object","required":["exitCode"],"properties":{"containerID":{"description":"Container's ID in the format '://'","type":"string"},"exitCode":{"description":"Exit status from the last termination of the container","type":"integer","format":"int32"},"finishedAt":{"description":"Time at which the container last terminated","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"Message regarding the last termination of the container","type":"string"},"reason":{"description":"(brief) reason from the last termination of the container","type":"string"},"signal":{"description":"Signal from the last termination of the container","type":"integer","format":"int32"},"startedAt":{"description":"Time at which previous execution of the container started","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"}}},"io.k8s.api.core.v1.ContainerStateWaiting":{"description":"ContainerStateWaiting is a waiting state of a container.","type":"object","properties":{"message":{"description":"Message regarding why the container is not yet running.","type":"string"},"reason":{"description":"(brief) reason the container is not yet running.","type":"string"}}},"io.k8s.api.core.v1.ContainerStatus":{"description":"ContainerStatus contains details for the current status of this container.","type":"object","required":["name","ready","restartCount","image","imageID"],"properties":{"allocatedResources":{"description":"AllocatedResources represents the compute resources allocated for this container by the node. Kubelet sets this value to Container.Resources.Requests upon successful pod admission and after successfully admitting desired pod resize.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"containerID":{"description":"ContainerID is the ID of the container in the format '://'. Where type is a container runtime identifier, returned from Version call of CRI API (for example \"containerd\").","type":"string"},"image":{"description":"Image is the name of container image that the container is running. The container image may not match the image used in the PodSpec, as it may have been resolved by the runtime. More info: https://kubernetes.io/docs/concepts/containers/images.","type":"string"},"imageID":{"description":"ImageID is the image ID of the container's image. The image ID may not match the image ID of the image used in the PodSpec, as it may have been resolved by the runtime.","type":"string"},"lastState":{"description":"LastTerminationState holds the last termination state of the container to help debug container crashes and restarts. This field is not populated if the container is still running and RestartCount is 0.","$ref":"#/definitions/io.k8s.api.core.v1.ContainerState"},"name":{"description":"Name is a DNS_LABEL representing the unique name of the container. Each container in a pod must have a unique name across all container types. Cannot be updated.","type":"string"},"ready":{"description":"Ready specifies whether the container is currently passing its readiness check. The value will change as readiness probes keep executing. If no readiness probes are specified, this field defaults to true once the container is fully started (see Started field).\n\nThe value is typically used to determine whether a container is ready to accept traffic.","type":"boolean"},"resources":{"description":"Resources represents the compute resource requests and limits that have been successfully enacted on the running container after it has been started or has been successfully resized.","$ref":"#/definitions/io.k8s.api.core.v1.ResourceRequirements"},"restartCount":{"description":"RestartCount holds the number of times the container has been restarted. Kubelet makes an effort to always increment the value, but there are cases when the state may be lost due to node restarts and then the value may be reset to 0. The value is never negative.","type":"integer","format":"int32"},"started":{"description":"Started indicates whether the container has finished its postStart lifecycle hook and passed its startup probe. Initialized as false, becomes true after startupProbe is considered successful. Resets to false when the container is restarted, or if kubelet loses state temporarily. In both cases, startup probes will run again. Is always true when no startupProbe is defined and container is running and has passed the postStart lifecycle hook. The null value must be treated the same as false.","type":"boolean"},"state":{"description":"State holds details about the container's current condition.","$ref":"#/definitions/io.k8s.api.core.v1.ContainerState"},"volumeMounts":{"description":"Status of volume mounts.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.VolumeMountStatus"},"x-kubernetes-list-map-keys":["mountPath"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"mountPath","x-kubernetes-patch-strategy":"merge"}}},"io.k8s.api.core.v1.DaemonEndpoint":{"description":"DaemonEndpoint contains information about a single Daemon endpoint.","type":"object","required":["Port"],"properties":{"Port":{"description":"Port number of the given endpoint.","type":"integer","format":"int32"}}},"io.k8s.api.core.v1.DownwardAPIProjection":{"description":"Represents downward API info for projecting into a projected volume. Note that this is identical to a downwardAPI volume source without the default mode.","type":"object","properties":{"items":{"description":"Items is a list of DownwardAPIVolume file","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeFile"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.core.v1.DownwardAPIVolumeFile":{"description":"DownwardAPIVolumeFile represents information to create the file containing the pod field","type":"object","required":["path"],"properties":{"fieldRef":{"description":"Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectFieldSelector"},"mode":{"description":"Optional: mode bits used to set permissions on this file, must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'","type":"string"},"resourceFieldRef":{"description":"Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.","$ref":"#/definitions/io.k8s.api.core.v1.ResourceFieldSelector"}}},"io.k8s.api.core.v1.DownwardAPIVolumeSource":{"description":"DownwardAPIVolumeSource represents a volume containing downward API info. Downward API volumes support ownership management and SELinux relabeling.","type":"object","properties":{"defaultMode":{"description":"Optional: mode bits to use on created files by default. Must be a Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"items":{"description":"Items is a list of downward API volume file","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeFile"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.core.v1.EmptyDirVolumeSource":{"description":"Represents an empty directory for a pod. Empty directory volumes support ownership management and SELinux relabeling.","type":"object","properties":{"medium":{"description":"medium represents what type of storage medium should back this directory. The default is \"\" which means to use the node's default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","type":"string"},"sizeLimit":{"description":"sizeLimit is the total amount of local storage required for this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}}},"io.k8s.api.core.v1.EndpointAddress":{"description":"EndpointAddress is a tuple that describes single IP address.","type":"object","required":["ip"],"properties":{"hostname":{"description":"The Hostname of this endpoint","type":"string"},"ip":{"description":"The IP of this endpoint. May not be loopback (127.0.0.0/8 or ::1), link-local (169.254.0.0/16 or fe80::/10), or link-local multicast (224.0.0.0/24 or ff02::/16).","type":"string"},"nodeName":{"description":"Optional: Node hosting this endpoint. This can be used to determine endpoints local to a node.","type":"string"},"targetRef":{"description":"Reference to object providing the endpoint.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.core.v1.EndpointPort":{"description":"EndpointPort is a tuple that describes a single port.","type":"object","required":["port"],"properties":{"appProtocol":{"description":"The application protocol for this port. This is used as a hint for implementations to offer richer behavior for protocols that they understand. This field follows standard Kubernetes label syntax. Valid values are either:\n\n* Un-prefixed protocol names - reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names).\n\n* Kubernetes-defined prefixed names:\n * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-\n * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455\n * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455\n\n* Other protocols should use implementation-defined prefixed names such as mycompany.com/my-custom-protocol.","type":"string"},"name":{"description":"The name of this port. This must match the 'name' field in the corresponding ServicePort. Must be a DNS_LABEL. Optional only if one port is defined.","type":"string"},"port":{"description":"The port number of the endpoint.","type":"integer","format":"int32"},"protocol":{"description":"The IP protocol for this port. Must be UDP, TCP, or SCTP. Default is TCP.\n\nPossible enum values:\n - `\"SCTP\"` is the SCTP protocol.\n - `\"TCP\"` is the TCP protocol.\n - `\"UDP\"` is the UDP protocol.","type":"string","enum":["SCTP","TCP","UDP"]}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.core.v1.EndpointSubset":{"description":"EndpointSubset is a group of addresses with a common set of ports. The expanded set of endpoints is the Cartesian product of Addresses x Ports. For example, given:\n\n\t{\n\t Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t}\n\nThe resulting set of endpoints can be viewed as:\n\n\ta: [ 10.10.1.1:8675, 10.10.2.2:8675 ],\n\tb: [ 10.10.1.1:309, 10.10.2.2:309 ]","type":"object","properties":{"addresses":{"description":"IP addresses which offer the related ports that are marked as ready. These endpoints should be considered safe for load balancers and clients to utilize.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.EndpointAddress"},"x-kubernetes-list-type":"atomic"},"notReadyAddresses":{"description":"IP addresses which offer the related ports but are not currently marked as ready because they have not yet finished starting, have recently failed a readiness check, or have recently failed a liveness check.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.EndpointAddress"},"x-kubernetes-list-type":"atomic"},"ports":{"description":"Port numbers available on the related IP addresses.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.EndpointPort"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.core.v1.Endpoints":{"description":"Endpoints is a collection of endpoints that implement the actual service. Example:\n\n\t Name: \"mysvc\",\n\t Subsets: [\n\t {\n\t Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t },\n\t {\n\t Addresses: [{\"ip\": \"10.10.3.3\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 93}, {\"name\": \"b\", \"port\": 76}]\n\t },\n\t]","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"subsets":{"description":"The set of all endpoints is the union of all subsets. Addresses are placed into subsets according to the IPs they share. A single address with multiple ports, some of which are ready and some of which are not (because they come from different containers) will result in the address being displayed in different subsets for the different ports. No address will appear in both Addresses and NotReadyAddresses in the same subset. Sets of addresses and ports that comprise a service.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.EndpointSubset"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"Endpoints","version":"v1"}]},"io.k8s.api.core.v1.EndpointsList":{"description":"EndpointsList is a list of endpoints.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of endpoints.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Endpoints"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"EndpointsList","version":"v1"}]},"io.k8s.api.core.v1.EnvFromSource":{"description":"EnvFromSource represents the source of a set of ConfigMaps","type":"object","properties":{"configMapRef":{"description":"The ConfigMap to select from","$ref":"#/definitions/io.k8s.api.core.v1.ConfigMapEnvSource"},"prefix":{"description":"An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.","type":"string"},"secretRef":{"description":"The Secret to select from","$ref":"#/definitions/io.k8s.api.core.v1.SecretEnvSource"}}},"io.k8s.api.core.v1.EnvVar":{"description":"EnvVar represents an environment variable present in a Container.","type":"object","required":["name"],"properties":{"name":{"description":"Name of the environment variable. Must be a C_IDENTIFIER.","type":"string"},"value":{"description":"Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to \"\".","type":"string"},"valueFrom":{"description":"Source for the environment variable's value. Cannot be used if value is not empty.","$ref":"#/definitions/io.k8s.api.core.v1.EnvVarSource"}}},"io.k8s.api.core.v1.EnvVarSource":{"description":"EnvVarSource represents a source for the value of an EnvVar.","type":"object","properties":{"configMapKeyRef":{"description":"Selects a key of a ConfigMap.","$ref":"#/definitions/io.k8s.api.core.v1.ConfigMapKeySelector"},"fieldRef":{"description":"Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectFieldSelector"},"resourceFieldRef":{"description":"Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.","$ref":"#/definitions/io.k8s.api.core.v1.ResourceFieldSelector"},"secretKeyRef":{"description":"Selects a key of a secret in the pod's namespace","$ref":"#/definitions/io.k8s.api.core.v1.SecretKeySelector"}}},"io.k8s.api.core.v1.EphemeralContainer":{"description":"An EphemeralContainer is a temporary container that you may add to an existing Pod for user-initiated activities such as debugging. Ephemeral containers have no resource or scheduling guarantees, and they will not be restarted when they exit or when a Pod is removed or restarted. The kubelet may evict a Pod if an ephemeral container causes the Pod to exceed its resource allocation.\n\nTo add an ephemeral container, use the ephemeralcontainers subresource of an existing Pod. Ephemeral containers may not be removed or restarted.","type":"object","required":["name"],"properties":{"args":{"description":"Arguments to the entrypoint. The image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"command":{"description":"Entrypoint array. Not executed within a shell. The image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"env":{"description":"List of environment variables to set in the container. Cannot be updated.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.EnvVar"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"envFrom":{"description":"List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.EnvFromSource"},"x-kubernetes-list-type":"atomic"},"image":{"description":"Container image name. More info: https://kubernetes.io/docs/concepts/containers/images","type":"string"},"imagePullPolicy":{"description":"Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images\n\nPossible enum values:\n - `\"Always\"` means that kubelet always attempts to pull the latest image. Container will fail If the pull fails.\n - `\"IfNotPresent\"` means that kubelet pulls if the image isn't present on disk. Container will fail if the image isn't present and the pull fails.\n - `\"Never\"` means that kubelet never pulls an image, but only uses a local image. Container will fail if the image isn't present","type":"string","enum":["Always","IfNotPresent","Never"]},"lifecycle":{"description":"Lifecycle is not allowed for ephemeral containers.","$ref":"#/definitions/io.k8s.api.core.v1.Lifecycle"},"livenessProbe":{"description":"Probes are not allowed for ephemeral containers.","$ref":"#/definitions/io.k8s.api.core.v1.Probe"},"name":{"description":"Name of the ephemeral container specified as a DNS_LABEL. This name must be unique among all containers, init containers and ephemeral containers.","type":"string"},"ports":{"description":"Ports are not allowed for ephemeral containers.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerPort"},"x-kubernetes-list-map-keys":["containerPort","protocol"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"containerPort","x-kubernetes-patch-strategy":"merge"},"readinessProbe":{"description":"Probes are not allowed for ephemeral containers.","$ref":"#/definitions/io.k8s.api.core.v1.Probe"},"resizePolicy":{"description":"Resources resize policy for the container.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerResizePolicy"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod.","$ref":"#/definitions/io.k8s.api.core.v1.ResourceRequirements"},"restartPolicy":{"description":"Restart policy for the container to manage the restart behavior of each container within a pod. This may only be set for init containers. You cannot set this field on ephemeral containers.","type":"string"},"securityContext":{"description":"Optional: SecurityContext defines the security options the ephemeral container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.","$ref":"#/definitions/io.k8s.api.core.v1.SecurityContext"},"startupProbe":{"description":"Probes are not allowed for ephemeral containers.","$ref":"#/definitions/io.k8s.api.core.v1.Probe"},"stdin":{"description":"Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.","type":"boolean"},"stdinOnce":{"description":"Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false","type":"boolean"},"targetContainerName":{"description":"If set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set then the ephemeral container uses the namespaces configured in the Pod spec.\n\nThe container runtime must implement support for this feature. If the runtime does not support namespace targeting then the result of setting this field is undefined.","type":"string"},"terminationMessagePath":{"description":"Optional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.","type":"string"},"terminationMessagePolicy":{"description":"Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.\n\nPossible enum values:\n - `\"FallbackToLogsOnError\"` will read the most recent contents of the container logs for the container status message when the container exits with an error and the terminationMessagePath has no contents.\n - `\"File\"` is the default behavior and will set the container status message to the contents of the container's terminationMessagePath when the container exits.","type":"string","enum":["FallbackToLogsOnError","File"]},"tty":{"description":"Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false.","type":"boolean"},"volumeDevices":{"description":"volumeDevices is the list of block devices to be used by the container.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.VolumeDevice"},"x-kubernetes-list-map-keys":["devicePath"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"devicePath","x-kubernetes-patch-strategy":"merge"},"volumeMounts":{"description":"Pod volumes to mount into the container's filesystem. Subpath mounts are not allowed for ephemeral containers. Cannot be updated.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.VolumeMount"},"x-kubernetes-list-map-keys":["mountPath"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"mountPath","x-kubernetes-patch-strategy":"merge"},"workingDir":{"description":"Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.","type":"string"}}},"io.k8s.api.core.v1.EphemeralVolumeSource":{"description":"Represents an ephemeral volume that is handled by a normal storage driver.","type":"object","properties":{"volumeClaimTemplate":{"description":"Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC will be deleted together with the pod. The name of the PVC will be `-` where `` is the name from the `PodSpec.Volumes` array entry. Pod validation will reject the pod if the concatenated name is not valid for a PVC (for example, too long).\n\nAn existing PVC with that name that is not owned by the pod will *not* be used for the pod to avoid using an unrelated volume by mistake. Starting the pod is then blocked until the unrelated PVC is removed. If such a pre-created PVC is meant to be used by the pod, the PVC has to updated with an owner reference to the pod once the pod exists. Normally this should not be necessary, but it may be useful when manually reconstructing a broken cluster.\n\nThis field is read-only and no changes will be made by Kubernetes to the PVC after it has been created.\n\nRequired, must not be nil.","$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimTemplate"}}},"io.k8s.api.core.v1.Event":{"description":"Event is a report of an event somewhere in the cluster. Events have a limited retention time and triggers and messages may evolve with time. Event consumers should not rely on the timing of an event with a given Reason reflecting a consistent underlying trigger, or the continued existence of events with that Reason. Events should be treated as informative, best-effort, supplemental data.","type":"object","required":["metadata","involvedObject"],"properties":{"action":{"description":"What action was taken/failed regarding to the Regarding object.","type":"string"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"count":{"description":"The number of times this event has occurred.","type":"integer","format":"int32"},"eventTime":{"description":"Time when this Event was first observed.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"},"firstTimestamp":{"description":"The time at which the event was first recorded. (Time of server receipt is in TypeMeta.)","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"involvedObject":{"description":"The object that this event is about.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"lastTimestamp":{"description":"The time at which the most recent occurrence of this event was recorded.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"A human-readable description of the status of this operation.","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"reason":{"description":"This should be a short, machine understandable string that gives the reason for the transition into the object's current status.","type":"string"},"related":{"description":"Optional secondary object for more complex actions.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"},"reportingComponent":{"description":"Name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`.","type":"string"},"reportingInstance":{"description":"ID of the controller instance, e.g. `kubelet-xyzf`.","type":"string"},"series":{"description":"Data about the Event series this event represents or nil if it's a singleton Event.","$ref":"#/definitions/io.k8s.api.core.v1.EventSeries"},"source":{"description":"The component reporting this event. Should be a short machine understandable string.","$ref":"#/definitions/io.k8s.api.core.v1.EventSource"},"type":{"description":"Type of this event (Normal, Warning), new types could be added in the future","type":"string"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"Event","version":"v1"}]},"io.k8s.api.core.v1.EventList":{"description":"EventList is a list of events.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of events","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Event"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"EventList","version":"v1"}]},"io.k8s.api.core.v1.EventSeries":{"description":"EventSeries contain information on series of events, i.e. thing that was/is happening continuously for some time.","type":"object","properties":{"count":{"description":"Number of occurrences in this series up to the last heartbeat time","type":"integer","format":"int32"},"lastObservedTime":{"description":"Time of the last occurrence observed","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"}}},"io.k8s.api.core.v1.EventSource":{"description":"EventSource contains information for an event.","type":"object","properties":{"component":{"description":"Component from which the event is generated.","type":"string"},"host":{"description":"Node name on which the event is generated.","type":"string"}}},"io.k8s.api.core.v1.ExecAction":{"description":"ExecAction describes a \"run in container\" action.","type":"object","properties":{"command":{"description":"Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.core.v1.FCVolumeSource":{"description":"Represents a Fibre Channel volume. Fibre Channel volumes can only be mounted as read/write once. Fibre Channel volumes support ownership management and SELinux relabeling.","type":"object","properties":{"fsType":{"description":"fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"lun":{"description":"lun is Optional: FC target lun number","type":"integer","format":"int32"},"readOnly":{"description":"readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"targetWWNs":{"description":"targetWWNs is Optional: FC target worldwide names (WWNs)","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"wwids":{"description":"wwids Optional: FC volume world wide identifiers (wwids) Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.core.v1.FlexPersistentVolumeSource":{"description":"FlexPersistentVolumeSource represents a generic persistent volume resource that is provisioned/attached using an exec based plugin.","type":"object","required":["driver"],"properties":{"driver":{"description":"driver is the name of the driver to use for this volume.","type":"string"},"fsType":{"description":"fsType is the Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default filesystem depends on FlexVolume script.","type":"string"},"options":{"description":"options is Optional: this field holds extra command options if any.","type":"object","additionalProperties":{"type":"string"}},"readOnly":{"description":"readOnly is Optional: defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef is Optional: SecretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts.","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"}}},"io.k8s.api.core.v1.FlexVolumeSource":{"description":"FlexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin.","type":"object","required":["driver"],"properties":{"driver":{"description":"driver is the name of the driver to use for this volume.","type":"string"},"fsType":{"description":"fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default filesystem depends on FlexVolume script.","type":"string"},"options":{"description":"options is Optional: this field holds extra command options if any.","type":"object","additionalProperties":{"type":"string"}},"readOnly":{"description":"readOnly is Optional: defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef is Optional: secretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts.","$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference"}}},"io.k8s.api.core.v1.FlockerVolumeSource":{"description":"Represents a Flocker volume mounted by the Flocker agent. One and only one of datasetName and datasetUUID should be set. Flocker volumes do not support ownership management or SELinux relabeling.","type":"object","properties":{"datasetName":{"description":"datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker should be considered as deprecated","type":"string"},"datasetUUID":{"description":"datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset","type":"string"}}},"io.k8s.api.core.v1.GCEPersistentDiskVolumeSource":{"description":"Represents a Persistent Disk resource in Google Compute Engine.\n\nA GCE PD must exist before mounting to a container. The disk must also be in the same GCE project and zone as the kubelet. A GCE PD can only be mounted as read/write once or read-only many times. GCE PDs support ownership management and SELinux relabeling.","type":"object","required":["pdName"],"properties":{"fsType":{"description":"fsType is filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"string"},"partition":{"description":"partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as \"1\". Similarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"integer","format":"int32"},"pdName":{"description":"pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"string"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","type":"boolean"}}},"io.k8s.api.core.v1.GRPCAction":{"type":"object","required":["port"],"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","type":"integer","format":"int32"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}}},"io.k8s.api.core.v1.GitRepoVolumeSource":{"description":"Represents a volume that is populated with the contents of a git repository. Git repo volumes do not support ownership management. Git repo volumes support SELinux relabeling.\n\nDEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container.","type":"object","required":["repository"],"properties":{"directory":{"description":"directory is the target directory name. Must not contain or start with '..'. If '.' is supplied, the volume directory will be the git repository. Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name.","type":"string"},"repository":{"description":"repository is the URL","type":"string"},"revision":{"description":"revision is the commit hash for the specified revision.","type":"string"}}},"io.k8s.api.core.v1.GlusterfsPersistentVolumeSource":{"description":"Represents a Glusterfs mount that lasts the lifetime of a pod. Glusterfs volumes do not support ownership management or SELinux relabeling.","type":"object","required":["endpoints","path"],"properties":{"endpoints":{"description":"endpoints is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"string"},"endpointsNamespace":{"description":"endpointsNamespace is the namespace that contains Glusterfs endpoint. If this field is empty, the EndpointNamespace defaults to the same namespace as the bound PVC. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"string"},"path":{"description":"path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"string"},"readOnly":{"description":"readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"boolean"}}},"io.k8s.api.core.v1.GlusterfsVolumeSource":{"description":"Represents a Glusterfs mount that lasts the lifetime of a pod. Glusterfs volumes do not support ownership management or SELinux relabeling.","type":"object","required":["endpoints","path"],"properties":{"endpoints":{"description":"endpoints is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"string"},"path":{"description":"path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"string"},"readOnly":{"description":"readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod","type":"boolean"}}},"io.k8s.api.core.v1.HTTPGetAction":{"description":"HTTPGetAction describes an action based on HTTP Get requests.","type":"object","required":["port"],"properties":{"host":{"description":"Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.","type":"string"},"httpHeaders":{"description":"Custom headers to set in the request. HTTP allows repeated headers.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.HTTPHeader"},"x-kubernetes-list-type":"atomic"},"path":{"description":"Path to access on the HTTP server.","type":"string"},"port":{"description":"Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"},"scheme":{"description":"Scheme to use for connecting to the host. Defaults to HTTP.\n\nPossible enum values:\n - `\"HTTP\"` means that the scheme used will be http://\n - `\"HTTPS\"` means that the scheme used will be https://","type":"string","enum":["HTTP","HTTPS"]}}},"io.k8s.api.core.v1.HTTPHeader":{"description":"HTTPHeader describes a custom header to be used in HTTP probes","type":"object","required":["name","value"],"properties":{"name":{"description":"The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.","type":"string"},"value":{"description":"The header field value","type":"string"}}},"io.k8s.api.core.v1.HostAlias":{"description":"HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the pod's hosts file.","type":"object","required":["ip"],"properties":{"hostnames":{"description":"Hostnames for the above IP address.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"ip":{"description":"IP address of the host file entry.","type":"string"}}},"io.k8s.api.core.v1.HostIP":{"description":"HostIP represents a single IP address allocated to the host.","type":"object","properties":{"ip":{"description":"IP is the IP address assigned to the host","type":"string"}}},"io.k8s.api.core.v1.HostPathVolumeSource":{"description":"Represents a host path mapped into a pod. Host path volumes do not support ownership management or SELinux relabeling.","type":"object","required":["path"],"properties":{"path":{"description":"path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath","type":"string"},"type":{"description":"type for HostPath Volume Defaults to \"\" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath\n\nPossible enum values:\n - `\"\"` For backwards compatible, leave it empty if unset\n - `\"BlockDevice\"` A block device must exist at the given path\n - `\"CharDevice\"` A character device must exist at the given path\n - `\"Directory\"` A directory must exist at the given path\n - `\"DirectoryOrCreate\"` If nothing exists at the given path, an empty directory will be created there as needed with file mode 0755, having the same group and ownership with Kubelet.\n - `\"File\"` A file must exist at the given path\n - `\"FileOrCreate\"` If nothing exists at the given path, an empty file will be created there as needed with file mode 0644, having the same group and ownership with Kubelet.\n - `\"Socket\"` A UNIX socket must exist at the given path","type":"string","enum":["","BlockDevice","CharDevice","Directory","DirectoryOrCreate","File","FileOrCreate","Socket"]}}},"io.k8s.api.core.v1.ISCSIPersistentVolumeSource":{"description":"ISCSIPersistentVolumeSource represents an ISCSI disk. ISCSI volumes can only be mounted as read/write once. ISCSI volumes support ownership management and SELinux relabeling.","type":"object","required":["targetPortal","iqn","lun"],"properties":{"chapAuthDiscovery":{"description":"chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication","type":"boolean"},"chapAuthSession":{"description":"chapAuthSession defines whether support iSCSI Session CHAP authentication","type":"boolean"},"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi","type":"string"},"initiatorName":{"description":"initiatorName is the custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface : will be created for the connection.","type":"string"},"iqn":{"description":"iqn is Target iSCSI Qualified Name.","type":"string"},"iscsiInterface":{"description":"iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp).","type":"string"},"lun":{"description":"lun is iSCSI Target Lun number.","type":"integer","format":"int32"},"portals":{"description":"portals is the iSCSI Target Portal List. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.","type":"boolean"},"secretRef":{"description":"secretRef is the CHAP Secret for iSCSI target and initiator authentication","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"},"targetPortal":{"description":"targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).","type":"string"}}},"io.k8s.api.core.v1.ISCSIVolumeSource":{"description":"Represents an ISCSI disk. ISCSI volumes can only be mounted as read/write once. ISCSI volumes support ownership management and SELinux relabeling.","type":"object","required":["targetPortal","iqn","lun"],"properties":{"chapAuthDiscovery":{"description":"chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication","type":"boolean"},"chapAuthSession":{"description":"chapAuthSession defines whether support iSCSI Session CHAP authentication","type":"boolean"},"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi","type":"string"},"initiatorName":{"description":"initiatorName is the custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface : will be created for the connection.","type":"string"},"iqn":{"description":"iqn is the target iSCSI Qualified Name.","type":"string"},"iscsiInterface":{"description":"iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp).","type":"string"},"lun":{"description":"lun represents iSCSI Target Lun number.","type":"integer","format":"int32"},"portals":{"description":"portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.","type":"boolean"},"secretRef":{"description":"secretRef is the CHAP Secret for iSCSI target and initiator authentication","$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference"},"targetPortal":{"description":"targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).","type":"string"}}},"io.k8s.api.core.v1.KeyToPath":{"description":"Maps a string key to a path within a volume.","type":"object","required":["key","path"],"properties":{"key":{"description":"key is the key to project.","type":"string"},"mode":{"description":"mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"path":{"description":"path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.","type":"string"}}},"io.k8s.api.core.v1.Lifecycle":{"description":"Lifecycle describes actions that the management system should take in response to container lifecycle events. For the PostStart and PreStop lifecycle handlers, management of the container blocks until the action is complete, unless the container process fails, in which case the handler is aborted.","type":"object","properties":{"postStart":{"description":"PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks","$ref":"#/definitions/io.k8s.api.core.v1.LifecycleHandler"},"preStop":{"description":"PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The Pod's termination grace period countdown begins before the PreStop hook is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period (unless delayed by finalizers). Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks","$ref":"#/definitions/io.k8s.api.core.v1.LifecycleHandler"}}},"io.k8s.api.core.v1.LifecycleHandler":{"description":"LifecycleHandler defines a specific action that should be taken in a lifecycle hook. One and only one of the fields, except TCPSocket must be specified.","type":"object","properties":{"exec":{"description":"Exec specifies the action to take.","$ref":"#/definitions/io.k8s.api.core.v1.ExecAction"},"httpGet":{"description":"HTTPGet specifies the http request to perform.","$ref":"#/definitions/io.k8s.api.core.v1.HTTPGetAction"},"sleep":{"description":"Sleep represents the duration that the container should sleep before being terminated.","$ref":"#/definitions/io.k8s.api.core.v1.SleepAction"},"tcpSocket":{"description":"Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for the backward compatibility. There are no validation of this field and lifecycle hooks will fail in runtime when tcp handler is specified.","$ref":"#/definitions/io.k8s.api.core.v1.TCPSocketAction"}}},"io.k8s.api.core.v1.LimitRange":{"description":"LimitRange sets resource usage limits for each kind of resource in a Namespace.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines the limits enforced. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.LimitRangeSpec"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"LimitRange","version":"v1"}]},"io.k8s.api.core.v1.LimitRangeItem":{"description":"LimitRangeItem defines a min/max usage limit for any resource that matches on kind.","type":"object","required":["type"],"properties":{"default":{"description":"Default resource requirement limit value by resource name if resource limit is omitted.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"defaultRequest":{"description":"DefaultRequest is the default resource requirement request value by resource name if resource request is omitted.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"max":{"description":"Max usage constraints on this kind by resource name.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"maxLimitRequestRatio":{"description":"MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"min":{"description":"Min usage constraints on this kind by resource name.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"type":{"description":"Type of resource that this limit applies to.","type":"string"}}},"io.k8s.api.core.v1.LimitRangeList":{"description":"LimitRangeList is a list of LimitRange items.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is a list of LimitRange objects. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.LimitRange"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"LimitRangeList","version":"v1"}]},"io.k8s.api.core.v1.LimitRangeSpec":{"description":"LimitRangeSpec defines a min/max usage limit for resources that match on kind.","type":"object","required":["limits"],"properties":{"limits":{"description":"Limits is the list of LimitRangeItem objects that are enforced.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.LimitRangeItem"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.core.v1.LoadBalancerIngress":{"description":"LoadBalancerIngress represents the status of a load-balancer ingress point: traffic intended for the service should be sent to an ingress point.","type":"object","properties":{"hostname":{"description":"Hostname is set for load-balancer ingress points that are DNS based (typically AWS load-balancers)","type":"string"},"ip":{"description":"IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers)","type":"string"},"ipMode":{"description":"IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified. Setting this to \"VIP\" indicates that traffic is delivered to the node with the destination set to the load-balancer's IP and port. Setting this to \"Proxy\" indicates that traffic is delivered to the node or pod with the destination set to the node's IP and node port or the pod's IP and port. Service implementations may use this information to adjust traffic routing.","type":"string"},"ports":{"description":"Ports is a list of records of service ports If used, every port defined in the service should have an entry in it","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PortStatus"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.core.v1.LoadBalancerStatus":{"description":"LoadBalancerStatus represents the status of a load-balancer.","type":"object","properties":{"ingress":{"description":"Ingress is a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.LoadBalancerIngress"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.core.v1.LocalObjectReference":{"description":"LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.","type":"object","properties":{"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.core.v1.LocalVolumeSource":{"description":"Local represents directly-attached storage with node affinity (Beta feature)","type":"object","required":["path"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.","type":"string"},"path":{"description":"path of the full path to the volume on the node. It can be either a directory or block device (disk, partition, ...).","type":"string"}}},"io.k8s.api.core.v1.ModifyVolumeStatus":{"description":"ModifyVolumeStatus represents the status object of ControllerModifyVolume operation","type":"object","required":["status"],"properties":{"status":{"description":"status is the status of the ControllerModifyVolume operation. It can be in any of following states:\n - Pending\n Pending indicates that the PersistentVolumeClaim cannot be modified due to unmet requirements, such as\n the specified VolumeAttributesClass not existing.\n - InProgress\n InProgress indicates that the volume is being modified.\n - Infeasible\n Infeasible indicates that the request has been rejected as invalid by the CSI driver. To\n\t resolve the error, a valid VolumeAttributesClass needs to be specified.\nNote: New statuses can be added in the future. Consumers should check for unknown statuses and fail appropriately.\n\nPossible enum values:\n - `\"InProgress\"` InProgress indicates that the volume is being modified\n - `\"Infeasible\"` Infeasible indicates that the request has been rejected as invalid by the CSI driver. To resolve the error, a valid VolumeAttributesClass needs to be specified\n - `\"Pending\"` Pending indicates that the PersistentVolumeClaim cannot be modified due to unmet requirements, such as the specified VolumeAttributesClass not existing","type":"string","enum":["InProgress","Infeasible","Pending"]},"targetVolumeAttributesClassName":{"description":"targetVolumeAttributesClassName is the name of the VolumeAttributesClass the PVC currently being reconciled","type":"string"}}},"io.k8s.api.core.v1.NFSVolumeSource":{"description":"Represents an NFS mount that lasts the lifetime of a pod. NFS volumes do not support ownership management or SELinux relabeling.","type":"object","required":["server","path"],"properties":{"path":{"description":"path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"string"},"readOnly":{"description":"readOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"boolean"},"server":{"description":"server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","type":"string"}}},"io.k8s.api.core.v1.Namespace":{"description":"Namespace provides a scope for Names. Use of multiple namespaces is optional.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines the behavior of the Namespace. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.NamespaceSpec"},"status":{"description":"Status describes the current status of a Namespace. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.NamespaceStatus"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"Namespace","version":"v1"}]},"io.k8s.api.core.v1.NamespaceCondition":{"description":"NamespaceCondition contains details about state of namespace.","type":"object","required":["type","status"],"properties":{"lastTransitionTime":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"type":"string"},"reason":{"type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type of namespace controller condition.","type":"string"}}},"io.k8s.api.core.v1.NamespaceList":{"description":"NamespaceList is a list of Namespaces.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of Namespace objects in the list. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Namespace"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"NamespaceList","version":"v1"}]},"io.k8s.api.core.v1.NamespaceSpec":{"description":"NamespaceSpec describes the attributes on a Namespace.","type":"object","properties":{"finalizers":{"description":"Finalizers is an opaque list of values that must be empty to permanently remove object from storage. More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.core.v1.NamespaceStatus":{"description":"NamespaceStatus is information about the current status of a Namespace.","type":"object","properties":{"conditions":{"description":"Represents the latest available observations of a namespace's current state.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.NamespaceCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"phase":{"description":"Phase is the current lifecycle phase of the namespace. More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/\n\nPossible enum values:\n - `\"Active\"` means the namespace is available for use in the system\n - `\"Terminating\"` means the namespace is undergoing graceful termination","type":"string","enum":["Active","Terminating"]}}},"io.k8s.api.core.v1.Node":{"description":"Node is a worker node in Kubernetes. Each node will have a unique identifier in the cache (i.e. in etcd).","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines the behavior of a node. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.NodeSpec"},"status":{"description":"Most recently observed status of the node. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.NodeStatus"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"Node","version":"v1"}]},"io.k8s.api.core.v1.NodeAddress":{"description":"NodeAddress contains information for the node's address.","type":"object","required":["type","address"],"properties":{"address":{"description":"The node address.","type":"string"},"type":{"description":"Node address type, one of Hostname, ExternalIP or InternalIP.","type":"string"}}},"io.k8s.api.core.v1.NodeAffinity":{"description":"Node affinity is a group of node affinity scheduling rules.","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PreferredSchedulingTerm"},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.","$ref":"#/definitions/io.k8s.api.core.v1.NodeSelector"}}},"io.k8s.api.core.v1.NodeCondition":{"description":"NodeCondition contains condition information for a node.","type":"object","required":["type","status"],"properties":{"lastHeartbeatTime":{"description":"Last time we got an update on a given condition.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"lastTransitionTime":{"description":"Last time the condition transit from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"Human readable message indicating details about last transition.","type":"string"},"reason":{"description":"(brief) reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type of node condition.","type":"string"}}},"io.k8s.api.core.v1.NodeConfigSource":{"description":"NodeConfigSource specifies a source of node configuration. Exactly one subfield (excluding metadata) must be non-nil. This API is deprecated since 1.22","type":"object","properties":{"configMap":{"description":"ConfigMap is a reference to a Node's ConfigMap","$ref":"#/definitions/io.k8s.api.core.v1.ConfigMapNodeConfigSource"}}},"io.k8s.api.core.v1.NodeConfigStatus":{"description":"NodeConfigStatus describes the status of the config assigned by Node.Spec.ConfigSource.","type":"object","properties":{"active":{"description":"Active reports the checkpointed config the node is actively using. Active will represent either the current version of the Assigned config, or the current LastKnownGood config, depending on whether attempting to use the Assigned config results in an error.","$ref":"#/definitions/io.k8s.api.core.v1.NodeConfigSource"},"assigned":{"description":"Assigned reports the checkpointed config the node will try to use. When Node.Spec.ConfigSource is updated, the node checkpoints the associated config payload to local disk, along with a record indicating intended config. The node refers to this record to choose its config checkpoint, and reports this record in Assigned. Assigned only updates in the status after the record has been checkpointed to disk. When the Kubelet is restarted, it tries to make the Assigned config the Active config by loading and validating the checkpointed payload identified by Assigned.","$ref":"#/definitions/io.k8s.api.core.v1.NodeConfigSource"},"error":{"description":"Error describes any problems reconciling the Spec.ConfigSource to the Active config. Errors may occur, for example, attempting to checkpoint Spec.ConfigSource to the local Assigned record, attempting to checkpoint the payload associated with Spec.ConfigSource, attempting to load or validate the Assigned config, etc. Errors may occur at different points while syncing config. Earlier errors (e.g. download or checkpointing errors) will not result in a rollback to LastKnownGood, and may resolve across Kubelet retries. Later errors (e.g. loading or validating a checkpointed config) will result in a rollback to LastKnownGood. In the latter case, it is usually possible to resolve the error by fixing the config assigned in Spec.ConfigSource. You can find additional information for debugging by searching the error message in the Kubelet log. Error is a human-readable description of the error state; machines can check whether or not Error is empty, but should not rely on the stability of the Error text across Kubelet versions.","type":"string"},"lastKnownGood":{"description":"LastKnownGood reports the checkpointed config the node will fall back to when it encounters an error attempting to use the Assigned config. The Assigned config becomes the LastKnownGood config when the node determines that the Assigned config is stable and correct. This is currently implemented as a 10-minute soak period starting when the local record of Assigned config is updated. If the Assigned config is Active at the end of this period, it becomes the LastKnownGood. Note that if Spec.ConfigSource is reset to nil (use local defaults), the LastKnownGood is also immediately reset to nil, because the local default config is always assumed good. You should not make assumptions about the node's method of determining config stability and correctness, as this may change or become configurable in the future.","$ref":"#/definitions/io.k8s.api.core.v1.NodeConfigSource"}}},"io.k8s.api.core.v1.NodeDaemonEndpoints":{"description":"NodeDaemonEndpoints lists ports opened by daemons running on the Node.","type":"object","properties":{"kubeletEndpoint":{"description":"Endpoint on which Kubelet is listening.","$ref":"#/definitions/io.k8s.api.core.v1.DaemonEndpoint"}}},"io.k8s.api.core.v1.NodeList":{"description":"NodeList is the whole list of all Nodes which have been registered with master.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of nodes","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Node"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"NodeList","version":"v1"}]},"io.k8s.api.core.v1.NodeRuntimeHandler":{"description":"NodeRuntimeHandler is a set of runtime handler information.","type":"object","properties":{"features":{"description":"Supported features.","$ref":"#/definitions/io.k8s.api.core.v1.NodeRuntimeHandlerFeatures"},"name":{"description":"Runtime handler name. Empty for the default runtime handler.","type":"string"}}},"io.k8s.api.core.v1.NodeRuntimeHandlerFeatures":{"description":"NodeRuntimeHandlerFeatures is a set of runtime features.","type":"object","properties":{"recursiveReadOnlyMounts":{"description":"RecursiveReadOnlyMounts is set to true if the runtime handler supports RecursiveReadOnlyMounts.","type":"boolean"}}},"io.k8s.api.core.v1.NodeSelector":{"description":"A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.","type":"object","required":["nodeSelectorTerms"],"properties":{"nodeSelectorTerms":{"description":"Required. A list of node selector terms. The terms are ORed.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeSelectorTerm"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.core.v1.NodeSelectorRequirement":{"description":"A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"operator":{"description":"Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.\n\nPossible enum values:\n - `\"DoesNotExist\"`\n - `\"Exists\"`\n - `\"Gt\"`\n - `\"In\"`\n - `\"Lt\"`\n - `\"NotIn\"`","type":"string","enum":["DoesNotExist","Exists","Gt","In","Lt","NotIn"]},"values":{"description":"An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.core.v1.NodeSelectorTerm":{"description":"A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.","type":"object","properties":{"matchExpressions":{"description":"A list of node selector requirements by node's labels.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeSelectorRequirement"},"x-kubernetes-list-type":"atomic"},"matchFields":{"description":"A list of node selector requirements by node's fields.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeSelectorRequirement"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.core.v1.NodeSpec":{"description":"NodeSpec describes the attributes that a node is created with.","type":"object","properties":{"configSource":{"description":"Deprecated: Previously used to specify the source of the node's configuration for the DynamicKubeletConfig feature. This feature is removed.","$ref":"#/definitions/io.k8s.api.core.v1.NodeConfigSource"},"externalID":{"description":"Deprecated. Not all kubelets will set this field. Remove field after 1.13. see: https://issues.k8s.io/61966","type":"string"},"podCIDR":{"description":"PodCIDR represents the pod IP range assigned to the node.","type":"string"},"podCIDRs":{"description":"podCIDRs represents the IP ranges assigned to the node for usage by Pods on that node. If this field is specified, the 0th entry must match the podCIDR field. It may contain at most 1 value for each of IPv4 and IPv6.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set","x-kubernetes-patch-strategy":"merge"},"providerID":{"description":"ID of the node assigned by the cloud provider in the format: ://","type":"string"},"taints":{"description":"If specified, the node's taints.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Taint"},"x-kubernetes-list-type":"atomic"},"unschedulable":{"description":"Unschedulable controls node schedulability of new pods. By default, node is schedulable. More info: https://kubernetes.io/docs/concepts/nodes/node/#manual-node-administration","type":"boolean"}}},"io.k8s.api.core.v1.NodeStatus":{"description":"NodeStatus is information about the current status of a node.","type":"object","properties":{"addresses":{"description":"List of addresses reachable to the node. Queried from cloud provider, if available. More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses Note: This field is declared as mergeable, but the merge key is not sufficiently unique, which can cause data corruption when it is merged. Callers should instead use a full-replacement patch. See https://pr.k8s.io/79391 for an example. Consumers should assume that addresses can change during the lifetime of a Node. However, there are some exceptions where this may not be possible, such as Pods that inherit a Node's address in its own status or consumers of the downward API (status.hostIP).","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeAddress"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"allocatable":{"description":"Allocatable represents the resources of a node that are available for scheduling. Defaults to Capacity.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"capacity":{"description":"Capacity represents the total resources of a node. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"conditions":{"description":"Conditions is an array of current observed node conditions. More info: https://kubernetes.io/docs/concepts/nodes/node/#condition","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"config":{"description":"Status of the config assigned to the node via the dynamic Kubelet config feature.","$ref":"#/definitions/io.k8s.api.core.v1.NodeConfigStatus"},"daemonEndpoints":{"description":"Endpoints of daemons running on the Node.","$ref":"#/definitions/io.k8s.api.core.v1.NodeDaemonEndpoints"},"images":{"description":"List of container images on this node","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerImage"},"x-kubernetes-list-type":"atomic"},"nodeInfo":{"description":"Set of ids/uuids to uniquely identify the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#info","$ref":"#/definitions/io.k8s.api.core.v1.NodeSystemInfo"},"phase":{"description":"NodePhase is the recently observed lifecycle phase of the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#phase The field is never populated, and now is deprecated.\n\nPossible enum values:\n - `\"Pending\"` means the node has been created/added by the system, but not configured.\n - `\"Running\"` means the node has been configured and has Kubernetes components running.\n - `\"Terminated\"` means the node has been removed from the cluster.","type":"string","enum":["Pending","Running","Terminated"]},"runtimeHandlers":{"description":"The available runtime handlers.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeRuntimeHandler"},"x-kubernetes-list-type":"atomic"},"volumesAttached":{"description":"List of volumes that are attached to the node.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.AttachedVolume"},"x-kubernetes-list-type":"atomic"},"volumesInUse":{"description":"List of attachable volumes in use (mounted) by the node.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.core.v1.NodeSystemInfo":{"description":"NodeSystemInfo is a set of ids/uuids to uniquely identify the node.","type":"object","required":["machineID","systemUUID","bootID","kernelVersion","osImage","containerRuntimeVersion","kubeletVersion","kubeProxyVersion","operatingSystem","architecture"],"properties":{"architecture":{"description":"The Architecture reported by the node","type":"string"},"bootID":{"description":"Boot ID reported by the node.","type":"string"},"containerRuntimeVersion":{"description":"ContainerRuntime Version reported by the node through runtime remote API (e.g. containerd://1.4.2).","type":"string"},"kernelVersion":{"description":"Kernel Version reported by the node from 'uname -r' (e.g. 3.16.0-0.bpo.4-amd64).","type":"string"},"kubeProxyVersion":{"description":"KubeProxy Version reported by the node.","type":"string"},"kubeletVersion":{"description":"Kubelet Version reported by the node.","type":"string"},"machineID":{"description":"MachineID reported by the node. For unique machine identification in the cluster this field is preferred. Learn more from man(5) machine-id: http://man7.org/linux/man-pages/man5/machine-id.5.html","type":"string"},"operatingSystem":{"description":"The Operating System reported by the node","type":"string"},"osImage":{"description":"OS Image reported by the node from /etc/os-release (e.g. Debian GNU/Linux 7 (wheezy)).","type":"string"},"systemUUID":{"description":"SystemUUID reported by the node. For unique machine identification MachineID is preferred. This field is specific to Red Hat hosts https://access.redhat.com/documentation/en-us/red_hat_subscription_management/1/html/rhsm/uuid","type":"string"}}},"io.k8s.api.core.v1.ObjectFieldSelector":{"description":"ObjectFieldSelector selects an APIVersioned field of an object.","type":"object","required":["fieldPath"],"properties":{"apiVersion":{"description":"Version of the schema the FieldPath is written in terms of, defaults to \"v1\".","type":"string"},"fieldPath":{"description":"Path of the field to select in the specified API version.","type":"string"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.core.v1.ObjectReference":{"description":"ObjectReference contains enough information to let you inspect or modify the referred object.","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: \"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered the event) or if no container name is specified \"spec.containers[2]\" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.","type":"string"},"kind":{"description":"Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.core.v1.PersistentVolume":{"description":"PersistentVolume (PV) is a storage resource provisioned by an administrator. It is analogous to a node. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec defines a specification of a persistent volume owned by the cluster. Provisioned by an administrator. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes","$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeSpec"},"status":{"description":"status represents the current information/status for the persistent volume. Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes","$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeStatus"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"PersistentVolume","version":"v1"}]},"io.k8s.api.core.v1.PersistentVolumeClaim":{"description":"PersistentVolumeClaim is a user's request for and claim to a persistent volume","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec defines the desired characteristics of a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimSpec"},"status":{"description":"status represents the current information/status of a persistent volume claim. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimStatus"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"PersistentVolumeClaim","version":"v1"}]},"io.k8s.api.core.v1.PersistentVolumeClaimCondition":{"description":"PersistentVolumeClaimCondition contains details about state of pvc","type":"object","required":["type","status"],"properties":{"lastProbeTime":{"description":"lastProbeTime is the time we probed the condition.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"lastTransitionTime":{"description":"lastTransitionTime is the time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"message is the human-readable message indicating details about last transition.","type":"string"},"reason":{"description":"reason is a unique, this should be a short, machine understandable string that gives the reason for condition's last transition. If it reports \"Resizing\" that means the underlying persistent volume is being resized.","type":"string"},"status":{"type":"string"},"type":{"type":"string"}}},"io.k8s.api.core.v1.PersistentVolumeClaimList":{"description":"PersistentVolumeClaimList is a list of PersistentVolumeClaim items.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is a list of persistent volume claims. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"PersistentVolumeClaimList","version":"v1"}]},"io.k8s.api.core.v1.PersistentVolumeClaimSpec":{"description":"PersistentVolumeClaimSpec describes the common attributes of storage devices and allows a Source for provider-specific attributes","type":"object","properties":{"accessModes":{"description":"accessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1","type":"array","items":{"type":"string","enum":["ReadOnlyMany","ReadWriteMany","ReadWriteOnce","ReadWriteOncePod"]},"x-kubernetes-list-type":"atomic"},"dataSource":{"description":"dataSource field can be used to specify either: * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source. When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. If the namespace is specified, then dataSourceRef will not be copied to dataSource.","$ref":"#/definitions/io.k8s.api.core.v1.TypedLocalObjectReference"},"dataSourceRef":{"description":"dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any object from a non-empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. This field will replace the functionality of the dataSource field and as such if both fields are non-empty, they must have the same value. For backwards compatibility, when namespace isn't specified in dataSourceRef, both fields (dataSource and dataSourceRef) will be set to the same value automatically if one of them is empty and the other is non-empty. When namespace is specified in dataSourceRef, dataSource isn't set to the same value and must be empty. There are three important differences between dataSource and dataSourceRef: * While dataSource only allows two specific types of objects, dataSourceRef\n allows any non-core object, as well as PersistentVolumeClaim objects.\n* While dataSource ignores disallowed values (dropping them), dataSourceRef\n preserves all values, and generates an error if a disallowed value is\n specified.\n* While dataSource only allows local objects, dataSourceRef allows objects\n in any namespaces.\n(Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","$ref":"#/definitions/io.k8s.api.core.v1.TypedObjectReference"},"resources":{"description":"resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources","$ref":"#/definitions/io.k8s.api.core.v1.VolumeResourceRequirements"},"selector":{"description":"selector is a label query over volumes to consider for binding.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"storageClassName":{"description":"storageClassName is the name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1","type":"string"},"volumeAttributesClassName":{"description":"volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. If specified, the CSI driver will create or update the volume with the attributes defined in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass will be applied to the claim but it's not allowed to reset this field to empty string once it is set. If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass will be set by the persistentvolume controller if it exists. If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.","type":"string"},"volumeMode":{"description":"volumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec.\n\nPossible enum values:\n - `\"Block\"` means the volume will not be formatted with a filesystem and will remain a raw block device.\n - `\"Filesystem\"` means the volume will be or is formatted with a filesystem.","type":"string","enum":["Block","Filesystem"]},"volumeName":{"description":"volumeName is the binding reference to the PersistentVolume backing this claim.","type":"string"}}},"io.k8s.api.core.v1.PersistentVolumeClaimStatus":{"description":"PersistentVolumeClaimStatus is the current status of a persistent volume claim.","type":"object","properties":{"accessModes":{"description":"accessModes contains the actual access modes the volume backing the PVC has. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1","type":"array","items":{"type":"string","enum":["ReadOnlyMany","ReadWriteMany","ReadWriteOnce","ReadWriteOncePod"]},"x-kubernetes-list-type":"atomic"},"allocatedResourceStatuses":{"description":"allocatedResourceStatuses stores status of resource being resized for the given PVC. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.","type":"object","additionalProperties":{"type":"string","enum":["ControllerResizeFailed","ControllerResizeInProgress","NodeResizeFailed","NodeResizeInProgress","NodeResizePending"]},"x-kubernetes-map-type":"granular"},"allocatedResources":{"description":"allocatedResources tracks the resources allocated to a PVC including its capacity. Key names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered reserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation is requested. For storage quota, the larger value from allocatedResources and PVC.spec.resources is used. If allocatedResources is not set, PVC.spec.resources alone is used for quota calculation. If a volume expansion capacity request is lowered, allocatedResources is only lowered if there are no expansion operations in progress and if the actual volume capacity is equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName should ignore the update for the purpose it was designed. For example - a controller that only is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid resources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"capacity":{"description":"capacity represents the actual resources of the underlying volume.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"conditions":{"description":"conditions is the current Condition of persistent volume claim. If underlying persistent volume is being resized then the Condition will be set to 'Resizing'.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"currentVolumeAttributesClassName":{"description":"currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using. When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim This is an alpha field and requires enabling VolumeAttributesClass feature.","type":"string"},"modifyVolumeStatus":{"description":"ModifyVolumeStatus represents the status object of ControllerModifyVolume operation. When this is unset, there is no ModifyVolume operation being attempted. This is an alpha field and requires enabling VolumeAttributesClass feature.","$ref":"#/definitions/io.k8s.api.core.v1.ModifyVolumeStatus"},"phase":{"description":"phase represents the current phase of PersistentVolumeClaim.\n\nPossible enum values:\n - `\"Bound\"` used for PersistentVolumeClaims that are bound\n - `\"Lost\"` used for PersistentVolumeClaims that lost their underlying PersistentVolume. The claim was bound to a PersistentVolume and this volume does not exist any longer and all data on it was lost.\n - `\"Pending\"` used for PersistentVolumeClaims that are not yet bound","type":"string","enum":["Bound","Lost","Pending"]}}},"io.k8s.api.core.v1.PersistentVolumeClaimTemplate":{"description":"PersistentVolumeClaimTemplate is used to produce PersistentVolumeClaim objects as part of an EphemeralVolumeSource.","type":"object","required":["spec"],"properties":{"metadata":{"description":"May contain labels and annotations that will be copied into the PVC when creating it. No other fields are allowed and will be rejected during validation.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"The specification for the PersistentVolumeClaim. The entire content is copied unchanged into the PVC that gets created from this template. The same fields as in a PersistentVolumeClaim are also valid here.","$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimSpec"}}},"io.k8s.api.core.v1.PersistentVolumeClaimVolumeSource":{"description":"PersistentVolumeClaimVolumeSource references the user's PVC in the same namespace. This volume finds the bound PV and mounts that volume for the pod. A PersistentVolumeClaimVolumeSource is, essentially, a wrapper around another type of volume that is owned by someone else (the system).","type":"object","required":["claimName"],"properties":{"claimName":{"description":"claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","type":"string"},"readOnly":{"description":"readOnly Will force the ReadOnly setting in VolumeMounts. Default false.","type":"boolean"}}},"io.k8s.api.core.v1.PersistentVolumeList":{"description":"PersistentVolumeList is a list of PersistentVolume items.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is a list of persistent volumes. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"PersistentVolumeList","version":"v1"}]},"io.k8s.api.core.v1.PersistentVolumeSpec":{"description":"PersistentVolumeSpec is the specification of a persistent volume.","type":"object","properties":{"accessModes":{"description":"accessModes contains all ways the volume can be mounted. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes","type":"array","items":{"type":"string","enum":["ReadOnlyMany","ReadWriteMany","ReadWriteOnce","ReadWriteOncePod"]},"x-kubernetes-list-type":"atomic"},"awsElasticBlockStore":{"description":"awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","$ref":"#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource"},"azureDisk":{"description":"azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.","$ref":"#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource"},"azureFile":{"description":"azureFile represents an Azure File Service mount on the host and bind mount to the pod.","$ref":"#/definitions/io.k8s.api.core.v1.AzureFilePersistentVolumeSource"},"capacity":{"description":"capacity is the description of the persistent volume's resources and capacity. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacity","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"cephfs":{"description":"cephFS represents a Ceph FS mount on the host that shares a pod's lifetime","$ref":"#/definitions/io.k8s.api.core.v1.CephFSPersistentVolumeSource"},"cinder":{"description":"cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md","$ref":"#/definitions/io.k8s.api.core.v1.CinderPersistentVolumeSource"},"claimRef":{"description":"claimRef is part of a bi-directional binding between PersistentVolume and PersistentVolumeClaim. Expected to be non-nil when bound. claim.VolumeName is the authoritative bind between PV and PVC. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#binding","$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference","x-kubernetes-map-type":"granular"},"csi":{"description":"csi represents storage that is handled by an external CSI driver (Beta feature).","$ref":"#/definitions/io.k8s.api.core.v1.CSIPersistentVolumeSource"},"fc":{"description":"fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.","$ref":"#/definitions/io.k8s.api.core.v1.FCVolumeSource"},"flexVolume":{"description":"flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin.","$ref":"#/definitions/io.k8s.api.core.v1.FlexPersistentVolumeSource"},"flocker":{"description":"flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running","$ref":"#/definitions/io.k8s.api.core.v1.FlockerVolumeSource"},"gcePersistentDisk":{"description":"gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","$ref":"#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource"},"glusterfs":{"description":"glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. More info: https://examples.k8s.io/volumes/glusterfs/README.md","$ref":"#/definitions/io.k8s.api.core.v1.GlusterfsPersistentVolumeSource"},"hostPath":{"description":"hostPath represents a directory on the host. Provisioned by a developer or tester. This is useful for single-node development and testing only! On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath","$ref":"#/definitions/io.k8s.api.core.v1.HostPathVolumeSource"},"iscsi":{"description":"iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin.","$ref":"#/definitions/io.k8s.api.core.v1.ISCSIPersistentVolumeSource"},"local":{"description":"local represents directly-attached storage with node affinity","$ref":"#/definitions/io.k8s.api.core.v1.LocalVolumeSource"},"mountOptions":{"description":"mountOptions is the list of mount options, e.g. [\"ro\", \"soft\"]. Not validated - mount will simply fail if one is invalid. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-options","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"nfs":{"description":"nfs represents an NFS mount on the host. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","$ref":"#/definitions/io.k8s.api.core.v1.NFSVolumeSource"},"nodeAffinity":{"description":"nodeAffinity defines constraints that limit what nodes this volume can be accessed from. This field influences the scheduling of pods that use this volume.","$ref":"#/definitions/io.k8s.api.core.v1.VolumeNodeAffinity"},"persistentVolumeReclaimPolicy":{"description":"persistentVolumeReclaimPolicy defines what happens to a persistent volume when released from its claim. Valid options are Retain (default for manually created PersistentVolumes), Delete (default for dynamically provisioned PersistentVolumes), and Recycle (deprecated). Recycle must be supported by the volume plugin underlying this PersistentVolume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming\n\nPossible enum values:\n - `\"Delete\"` means the volume will be deleted from Kubernetes on release from its claim. The volume plugin must support Deletion.\n - `\"Recycle\"` means the volume will be recycled back into the pool of unbound persistent volumes on release from its claim. The volume plugin must support Recycling.\n - `\"Retain\"` means the volume will be left in its current phase (Released) for manual reclamation by the administrator. The default policy is Retain.","type":"string","enum":["Delete","Recycle","Retain"]},"photonPersistentDisk":{"description":"photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine","$ref":"#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource"},"portworxVolume":{"description":"portworxVolume represents a portworx volume attached and mounted on kubelets host machine","$ref":"#/definitions/io.k8s.api.core.v1.PortworxVolumeSource"},"quobyte":{"description":"quobyte represents a Quobyte mount on the host that shares a pod's lifetime","$ref":"#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource"},"rbd":{"description":"rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md","$ref":"#/definitions/io.k8s.api.core.v1.RBDPersistentVolumeSource"},"scaleIO":{"description":"scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.","$ref":"#/definitions/io.k8s.api.core.v1.ScaleIOPersistentVolumeSource"},"storageClassName":{"description":"storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value means that this volume does not belong to any StorageClass.","type":"string"},"storageos":{"description":"storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod More info: https://examples.k8s.io/volumes/storageos/README.md","$ref":"#/definitions/io.k8s.api.core.v1.StorageOSPersistentVolumeSource"},"volumeAttributesClassName":{"description":"Name of VolumeAttributesClass to which this persistent volume belongs. Empty value is not allowed. When this field is not set, it indicates that this volume does not belong to any VolumeAttributesClass. This field is mutable and can be changed by the CSI driver after a volume has been updated successfully to a new class. For an unbound PersistentVolume, the volumeAttributesClassName will be matched with unbound PersistentVolumeClaims during the binding process. This is an alpha field and requires enabling VolumeAttributesClass feature.","type":"string"},"volumeMode":{"description":"volumeMode defines if a volume is intended to be used with a formatted filesystem or to remain in raw block state. Value of Filesystem is implied when not included in spec.\n\nPossible enum values:\n - `\"Block\"` means the volume will not be formatted with a filesystem and will remain a raw block device.\n - `\"Filesystem\"` means the volume will be or is formatted with a filesystem.","type":"string","enum":["Block","Filesystem"]},"vsphereVolume":{"description":"vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine","$ref":"#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource"}}},"io.k8s.api.core.v1.PersistentVolumeStatus":{"description":"PersistentVolumeStatus is the current status of a persistent volume.","type":"object","properties":{"lastPhaseTransitionTime":{"description":"lastPhaseTransitionTime is the time the phase transitioned from one to another and automatically resets to current time everytime a volume phase transitions. This is a beta field and requires the PersistentVolumeLastPhaseTransitionTime feature to be enabled (enabled by default).","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"message is a human-readable message indicating details about why the volume is in this state.","type":"string"},"phase":{"description":"phase indicates if a volume is available, bound to a claim, or released by a claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#phase\n\nPossible enum values:\n - `\"Available\"` used for PersistentVolumes that are not yet bound Available volumes are held by the binder and matched to PersistentVolumeClaims\n - `\"Bound\"` used for PersistentVolumes that are bound\n - `\"Failed\"` used for PersistentVolumes that failed to be correctly recycled or deleted after being released from a claim\n - `\"Pending\"` used for PersistentVolumes that are not available\n - `\"Released\"` used for PersistentVolumes where the bound PersistentVolumeClaim was deleted released volumes must be recycled before becoming available again this phase is used by the persistent volume claim binder to signal to another process to reclaim the resource","type":"string","enum":["Available","Bound","Failed","Pending","Released"]},"reason":{"description":"reason is a brief CamelCase string that describes any failure and is meant for machine parsing and tidy display in the CLI.","type":"string"}}},"io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource":{"description":"Represents a Photon Controller persistent disk resource.","type":"object","required":["pdID"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"pdID":{"description":"pdID is the ID that identifies Photon Controller persistent disk","type":"string"}}},"io.k8s.api.core.v1.Pod":{"description":"Pod is a collection of containers that can run on a host. This resource is created by clients and scheduled onto hosts.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.PodSpec"},"status":{"description":"Most recently observed status of the pod. This data may not be up to date. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.PodStatus"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"Pod","version":"v1"}]},"io.k8s.api.core.v1.PodAffinity":{"description":"Pod affinity is a group of inter pod affinity scheduling rules.","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.WeightedPodAffinityTerm"},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodAffinityTerm"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.core.v1.PodAffinityTerm":{"description":"Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running","type":"object","required":["topologyKey"],"properties":{"labelSelector":{"description":"A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"description":"MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"namespaceSelector":{"description":"A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means \"this pod's namespace\". An empty selector ({}) matches all namespaces.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"topologyKey":{"description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.","type":"string"}}},"io.k8s.api.core.v1.PodAntiAffinity":{"description":"Pod anti affinity is a group of inter pod anti affinity scheduling rules.","type":"object","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"description":"The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.WeightedPodAffinityTerm"},"x-kubernetes-list-type":"atomic"},"requiredDuringSchedulingIgnoredDuringExecution":{"description":"If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodAffinityTerm"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.core.v1.PodCondition":{"description":"PodCondition contains details for the current condition of this pod.","type":"object","required":["type","status"],"properties":{"lastProbeTime":{"description":"Last time we probed the condition.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"Human-readable message indicating details about last transition.","type":"string"},"reason":{"description":"Unique, one-word, CamelCase reason for the condition's last transition.","type":"string"},"status":{"description":"Status is the status of the condition. Can be True, False, Unknown. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions","type":"string"},"type":{"description":"Type is the type of the condition. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions","type":"string"}}},"io.k8s.api.core.v1.PodDNSConfig":{"description":"PodDNSConfig defines the DNS parameters of a pod in addition to those generated from DNSPolicy.","type":"object","properties":{"nameservers":{"description":"A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"options":{"description":"A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodDNSConfigOption"},"x-kubernetes-list-type":"atomic"},"searches":{"description":"A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.core.v1.PodDNSConfigOption":{"description":"PodDNSConfigOption defines DNS resolver options of a pod.","type":"object","properties":{"name":{"description":"Required.","type":"string"},"value":{"type":"string"}}},"io.k8s.api.core.v1.PodIP":{"description":"PodIP represents a single IP address allocated to the pod.","type":"object","properties":{"ip":{"description":"IP is the IP address assigned to the pod","type":"string"}}},"io.k8s.api.core.v1.PodList":{"description":"PodList is a list of Pods.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of pods. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"PodList","version":"v1"}]},"io.k8s.api.core.v1.PodOS":{"description":"PodOS defines the OS parameters of a pod.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the name of the operating system. The currently supported values are linux and windows. Additional value may be defined in future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration Clients should expect to handle additional values and treat unrecognized values in this field as os: null","type":"string"}}},"io.k8s.api.core.v1.PodReadinessGate":{"description":"PodReadinessGate contains the reference to a pod condition","type":"object","required":["conditionType"],"properties":{"conditionType":{"description":"ConditionType refers to a condition in the pod's condition list with matching type.","type":"string"}}},"io.k8s.api.core.v1.PodResourceClaim":{"description":"PodResourceClaim references exactly one ResourceClaim through a ClaimSource. It adds a name to it that uniquely identifies the ResourceClaim inside the Pod. Containers that need access to the ResourceClaim reference it with this name.","type":"object","required":["name"],"properties":{"name":{"description":"Name uniquely identifies this resource claim inside the pod. This must be a DNS_LABEL.","type":"string"},"source":{"description":"Source describes where to find the ResourceClaim.","$ref":"#/definitions/io.k8s.api.core.v1.ClaimSource"}}},"io.k8s.api.core.v1.PodResourceClaimStatus":{"description":"PodResourceClaimStatus is stored in the PodStatus for each PodResourceClaim which references a ResourceClaimTemplate. It stores the generated name for the corresponding ResourceClaim.","type":"object","required":["name"],"properties":{"name":{"description":"Name uniquely identifies this resource claim inside the pod. This must match the name of an entry in pod.spec.resourceClaims, which implies that the string must be a DNS_LABEL.","type":"string"},"resourceClaimName":{"description":"ResourceClaimName is the name of the ResourceClaim that was generated for the Pod in the namespace of the Pod. It this is unset, then generating a ResourceClaim was not necessary. The pod.spec.resourceClaims entry can be ignored in this case.","type":"string"}}},"io.k8s.api.core.v1.PodSchedulingGate":{"description":"PodSchedulingGate is associated to a Pod to guard its scheduling.","type":"object","required":["name"],"properties":{"name":{"description":"Name of the scheduling gate. Each scheduling gate must have a unique name field.","type":"string"}}},"io.k8s.api.core.v1.PodSecurityContext":{"description":"PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.","type":"object","properties":{"appArmorProfile":{"description":"appArmorProfile is the AppArmor options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.","$ref":"#/definitions/io.k8s.api.core.v1.AppArmorProfile"},"fsGroup":{"description":"A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:\n\n1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw----\n\nIf unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"fsGroupChangePolicy":{"description":"fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used. Note that this field cannot be set when spec.os.name is windows.\n\nPossible enum values:\n - `\"Always\"` indicates that volume's ownership and permissions should always be changed whenever volume is mounted inside a Pod. This the default behavior.\n - `\"OnRootMismatch\"` indicates that volume's ownership and permissions will be changed only when permission and ownership of root directory does not match with expected permissions on the volume. This can help shorten the time it takes to change ownership and permissions of a volume.","type":"string","enum":["Always","OnRootMismatch"]},"runAsGroup":{"description":"The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxOptions":{"description":"The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.","$ref":"#/definitions/io.k8s.api.core.v1.SELinuxOptions"},"seccompProfile":{"description":"The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.","$ref":"#/definitions/io.k8s.api.core.v1.SeccompProfile"},"supplementalGroups":{"description":"A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.","type":"array","items":{"type":"integer","format":"int64"},"x-kubernetes-list-type":"atomic"},"sysctls":{"description":"Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Sysctl"},"x-kubernetes-list-type":"atomic"},"windowsOptions":{"description":"The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.","$ref":"#/definitions/io.k8s.api.core.v1.WindowsSecurityContextOptions"}}},"io.k8s.api.core.v1.PodSpec":{"description":"PodSpec is a description of a pod.","type":"object","required":["containers"],"properties":{"activeDeadlineSeconds":{"description":"Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer.","type":"integer","format":"int64"},"affinity":{"description":"If specified, the pod's scheduling constraints","$ref":"#/definitions/io.k8s.api.core.v1.Affinity"},"automountServiceAccountToken":{"description":"AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.","type":"boolean"},"containers":{"description":"List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Container"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"dnsConfig":{"description":"Specifies the DNS parameters of a pod. Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy.","$ref":"#/definitions/io.k8s.api.core.v1.PodDNSConfig"},"dnsPolicy":{"description":"Set DNS policy for the pod. Defaults to \"ClusterFirst\". Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'.\n\nPossible enum values:\n - `\"ClusterFirst\"` indicates that the pod should use cluster DNS first unless hostNetwork is true, if it is available, then fall back on the default (as determined by kubelet) DNS settings.\n - `\"ClusterFirstWithHostNet\"` indicates that the pod should use cluster DNS first, if it is available, then fall back on the default (as determined by kubelet) DNS settings.\n - `\"Default\"` indicates that the pod should use the default (as determined by kubelet) DNS settings.\n - `\"None\"` indicates that the pod should use empty DNS settings. DNS parameters such as nameservers and search paths should be defined via DNSConfig.","type":"string","enum":["ClusterFirst","ClusterFirstWithHostNet","Default","None"]},"enableServiceLinks":{"description":"EnableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. Optional: Defaults to true.","type":"boolean"},"ephemeralContainers":{"description":"List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging. This list cannot be specified when creating a pod, and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.EphemeralContainer"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"hostAliases":{"description":"HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts file if specified.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.HostAlias"},"x-kubernetes-list-map-keys":["ip"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"ip","x-kubernetes-patch-strategy":"merge"},"hostIPC":{"description":"Use the host's ipc namespace. Optional: Default to false.","type":"boolean"},"hostNetwork":{"description":"Host networking requested for this pod. Use the host's network namespace. If this option is set, the ports that will be used must be specified. Default to false.","type":"boolean"},"hostPID":{"description":"Use the host's pid namespace. Optional: Default to false.","type":"boolean"},"hostUsers":{"description":"Use the host's user namespace. Optional: Default to true. If set to true or not present, the pod will be run in the host user namespace, useful for when the pod needs a feature only available to the host user namespace, such as loading a kernel module with CAP_SYS_MODULE. When set to false, a new userns is created for the pod. Setting false is useful for mitigating container breakout vulnerabilities even allowing users to run their containers as root without actually having root privileges on the host. This field is alpha-level and is only honored by servers that enable the UserNamespacesSupport feature.","type":"boolean"},"hostname":{"description":"Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined value.","type":"string"},"imagePullSecrets":{"description":"ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"initContainers":{"description":"List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Container"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"nodeName":{"description":"NodeName is a request to schedule this pod onto a specific node. If it is non-empty, the scheduler simply schedules this pod onto that node, assuming that it fits resource requirements.","type":"string"},"nodeSelector":{"description":"NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/","type":"object","additionalProperties":{"type":"string"},"x-kubernetes-map-type":"atomic"},"os":{"description":"Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set.\n\nIf the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions\n\nIf the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.appArmorProfile - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup","$ref":"#/definitions/io.k8s.api.core.v1.PodOS"},"overhead":{"description":"Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have the overhead already set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"preemptionPolicy":{"description":"PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.\n\nPossible enum values:\n - `\"Never\"` means that pod never preempts other pods with lower priority.\n - `\"PreemptLowerPriority\"` means that pod can preempt other pods with lower priority.","type":"string","enum":["Never","PreemptLowerPriority"]},"priority":{"description":"The priority value. Various system components use this field to find the priority of the pod. When Priority Admission Controller is enabled, it prevents users from setting this field. The admission controller populates this field from PriorityClassName. The higher the value, the higher the priority.","type":"integer","format":"int32"},"priorityClassName":{"description":"If specified, indicates the pod's priority. \"system-node-critical\" and \"system-cluster-critical\" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default.","type":"string"},"readinessGates":{"description":"If specified, all readiness gates will be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to \"True\" More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodReadinessGate"},"x-kubernetes-list-type":"atomic"},"resourceClaims":{"description":"ResourceClaims defines which ResourceClaims must be allocated and reserved before the Pod is allowed to start. The resources will be made available to those containers which consume them by name.\n\nThis is an alpha field and requires enabling the DynamicResourceAllocation feature gate.\n\nThis field is immutable.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodResourceClaim"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge,retainKeys"},"restartPolicy":{"description":"Restart policy for all containers within the pod. One of Always, OnFailure, Never. In some contexts, only a subset of those values may be permitted. Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy\n\nPossible enum values:\n - `\"Always\"`\n - `\"Never\"`\n - `\"OnFailure\"`","type":"string","enum":["Always","Never","OnFailure"]},"runtimeClassName":{"description":"RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used to run this pod. If no RuntimeClass resource matches the named class, the pod will not be run. If unset or empty, the \"legacy\" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class","type":"string"},"schedulerName":{"description":"If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler.","type":"string"},"schedulingGates":{"description":"SchedulingGates is an opaque list of values that if specified will block scheduling the pod. If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the scheduler will not attempt to schedule the pod.\n\nSchedulingGates can only be set at pod creation time, and be removed only afterwards.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodSchedulingGate"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"},"securityContext":{"description":"SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty. See type description for default values of each field.","$ref":"#/definitions/io.k8s.api.core.v1.PodSecurityContext"},"serviceAccount":{"description":"DeprecatedServiceAccount is a deprecated alias for ServiceAccountName. Deprecated: Use serviceAccountName instead.","type":"string"},"serviceAccountName":{"description":"ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/","type":"string"},"setHostnameAsFQDN":{"description":"If true the pod's hostname will be configured as the pod's FQDN, rather than the leaf name (the default). In Linux containers, this means setting the FQDN in the hostname field of the kernel (the nodename field of struct utsname). In Windows containers, this means setting the registry value of hostname for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters to FQDN. If a pod does not have FQDN, this has no effect. Default to false.","type":"boolean"},"shareProcessNamespace":{"description":"Share a single process namespace between all of the containers in a pod. When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container will not be assigned PID 1. HostPID and ShareProcessNamespace cannot both be set. Optional: Default to false.","type":"boolean"},"subdomain":{"description":"If specified, the fully qualified Pod hostname will be \"...svc.\". If not specified, the pod will not have a domainname at all.","type":"string"},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). If this value is nil, the default grace period will be used instead. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. Defaults to 30 seconds.","type":"integer","format":"int64"},"tolerations":{"description":"If specified, the pod's tolerations.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Toleration"},"x-kubernetes-list-type":"atomic"},"topologySpreadConstraints":{"description":"TopologySpreadConstraints describes how a group of pods ought to spread across topology domains. Scheduler will schedule pods in a way which abides by the constraints. All topologySpreadConstraints are ANDed.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.TopologySpreadConstraint"},"x-kubernetes-list-map-keys":["topologyKey","whenUnsatisfiable"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"topologyKey","x-kubernetes-patch-strategy":"merge"},"volumes":{"description":"List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Volume"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge,retainKeys"}}},"io.k8s.api.core.v1.PodStatus":{"description":"PodStatus represents information about the status of a pod. Status may trail the actual state of a system, especially if the node that hosts the pod cannot contact the control plane.","type":"object","properties":{"conditions":{"description":"Current service state of pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"containerStatuses":{"description":"The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerStatus"},"x-kubernetes-list-type":"atomic"},"ephemeralContainerStatuses":{"description":"Status for any ephemeral containers that have run in this pod.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerStatus"},"x-kubernetes-list-type":"atomic"},"hostIP":{"description":"hostIP holds the IP address of the host to which the pod is assigned. Empty if the pod has not started yet. A pod can be assigned to a node that has a problem in kubelet which in turns mean that HostIP will not be updated even if there is a node is assigned to pod","type":"string"},"hostIPs":{"description":"hostIPs holds the IP addresses allocated to the host. If this field is specified, the first entry must match the hostIP field. This list is empty if the pod has not started yet. A pod can be assigned to a node that has a problem in kubelet which in turns means that HostIPs will not be updated even if there is a node is assigned to this pod.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.HostIP"},"x-kubernetes-list-type":"atomic","x-kubernetes-patch-merge-key":"ip","x-kubernetes-patch-strategy":"merge"},"initContainerStatuses":{"description":"The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerStatus"},"x-kubernetes-list-type":"atomic"},"message":{"description":"A human readable message indicating details about why the pod is in this condition.","type":"string"},"nominatedNodeName":{"description":"nominatedNodeName is set only when this pod preempts other pods on the node, but it cannot be scheduled right away as preemption victims receive their graceful termination periods. This field does not guarantee that the pod will be scheduled on this node. Scheduler may decide to place the pod elsewhere if other nodes become available sooner. Scheduler may also decide to give the resources on this node to a higher priority pod that is created after preemption. As a result, this field may be different than PodSpec.nodeName when the pod is scheduled.","type":"string"},"phase":{"description":"The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. The conditions array, the reason and message fields, and the individual container status arrays contain more detail about the pod's status. There are five possible phase values:\n\nPending: The pod has been accepted by the Kubernetes system, but one or more of the container images has not been created. This includes time before being scheduled as well as time spent downloading images over the network, which could take a while. Running: The pod has been bound to a node, and all of the containers have been created. At least one container is still running, or is in the process of starting or restarting. Succeeded: All containers in the pod have terminated in success, and will not be restarted. Failed: All containers in the pod have terminated, and at least one container has terminated in failure. The container either exited with non-zero status or was terminated by the system. Unknown: For some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod.\n\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase\n\nPossible enum values:\n - `\"Failed\"` means that all containers in the pod have terminated, and at least one container has terminated in a failure (exited with a non-zero exit code or was stopped by the system).\n - `\"Pending\"` means the pod has been accepted by the system, but one or more of the containers has not been started. This includes time before being bound to a node, as well as time spent pulling images onto the host.\n - `\"Running\"` means the pod has been bound to a node and all of the containers have been started. At least one container is still running or is in the process of being restarted.\n - `\"Succeeded\"` means that all containers in the pod have voluntarily terminated with a container exit code of 0, and the system is not going to restart any of these containers.\n - `\"Unknown\"` means that for some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod. Deprecated: It isn't being set since 2015 (74da3b14b0c0f658b3bb8d2def5094686d0e9095)","type":"string","enum":["Failed","Pending","Running","Succeeded","Unknown"]},"podIP":{"description":"podIP address allocated to the pod. Routable at least within the cluster. Empty if not yet allocated.","type":"string"},"podIPs":{"description":"podIPs holds the IP addresses allocated to the pod. If this field is specified, the 0th entry must match the podIP field. Pods may be allocated at most 1 value for each of IPv4 and IPv6. This list is empty if no IPs have been allocated yet.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodIP"},"x-kubernetes-list-map-keys":["ip"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"ip","x-kubernetes-patch-strategy":"merge"},"qosClass":{"description":"The Quality of Service (QOS) classification assigned to the pod based on resource requirements See PodQOSClass type for available QOS classes More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/#quality-of-service-classes\n\nPossible enum values:\n - `\"BestEffort\"` is the BestEffort qos class.\n - `\"Burstable\"` is the Burstable qos class.\n - `\"Guaranteed\"` is the Guaranteed qos class.","type":"string","enum":["BestEffort","Burstable","Guaranteed"]},"reason":{"description":"A brief CamelCase message indicating details about why the pod is in this state. e.g. 'Evicted'","type":"string"},"resize":{"description":"Status of resources resize desired for pod's containers. It is empty if no resources resize is pending. Any changes to container resources will automatically set this to \"Proposed\"","type":"string"},"resourceClaimStatuses":{"description":"Status of resource claims.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodResourceClaimStatus"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge,retainKeys"},"startTime":{"description":"RFC 3339 date and time at which the object was acknowledged by the Kubelet. This is before the Kubelet pulled the container image(s) for the pod.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"}}},"io.k8s.api.core.v1.PodTemplate":{"description":"PodTemplate describes a template for creating copies of a predefined pod.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"template":{"description":"Template defines the pods that will be created from this pod template. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.PodTemplateSpec"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"PodTemplate","version":"v1"}]},"io.k8s.api.core.v1.PodTemplateList":{"description":"PodTemplateList is a list of PodTemplates.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of pod templates","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodTemplate"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"PodTemplateList","version":"v1"}]},"io.k8s.api.core.v1.PodTemplateSpec":{"description":"PodTemplateSpec describes the data a pod should have when created from a template","type":"object","properties":{"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.PodSpec"}}},"io.k8s.api.core.v1.PortStatus":{"type":"object","required":["port","protocol"],"properties":{"error":{"description":"Error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use\n CamelCase names\n- cloud provider specific error values must have names that comply with the\n format foo.example.com/CamelCase.","type":"string"},"port":{"description":"Port is the port number of the service port of which status is recorded here","type":"integer","format":"int32"},"protocol":{"description":"Protocol is the protocol of the service port of which status is recorded here The supported values are: \"TCP\", \"UDP\", \"SCTP\"\n\nPossible enum values:\n - `\"SCTP\"` is the SCTP protocol.\n - `\"TCP\"` is the TCP protocol.\n - `\"UDP\"` is the UDP protocol.","type":"string","enum":["SCTP","TCP","UDP"]}}},"io.k8s.api.core.v1.PortworxVolumeSource":{"description":"PortworxVolumeSource represents a Portworx volume resource.","type":"object","required":["volumeID"],"properties":{"fsType":{"description":"fSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"volumeID":{"description":"volumeID uniquely identifies a Portworx volume","type":"string"}}},"io.k8s.api.core.v1.PreferredSchedulingTerm":{"description":"An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).","type":"object","required":["weight","preference"],"properties":{"preference":{"description":"A node selector term, associated with the corresponding weight.","$ref":"#/definitions/io.k8s.api.core.v1.NodeSelectorTerm"},"weight":{"description":"Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.","type":"integer","format":"int32"}}},"io.k8s.api.core.v1.Probe":{"description":"Probe describes a health check to be performed against a container to determine whether it is alive or ready to receive traffic.","type":"object","properties":{"exec":{"description":"Exec specifies the action to take.","$ref":"#/definitions/io.k8s.api.core.v1.ExecAction"},"failureThreshold":{"description":"Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.","type":"integer","format":"int32"},"grpc":{"description":"GRPC specifies an action involving a GRPC port.","$ref":"#/definitions/io.k8s.api.core.v1.GRPCAction"},"httpGet":{"description":"HTTPGet specifies the http request to perform.","$ref":"#/definitions/io.k8s.api.core.v1.HTTPGetAction"},"initialDelaySeconds":{"description":"Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"},"periodSeconds":{"description":"How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.","type":"integer","format":"int32"},"successThreshold":{"description":"Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.","type":"integer","format":"int32"},"tcpSocket":{"description":"TCPSocket specifies an action involving a TCP port.","$ref":"#/definitions/io.k8s.api.core.v1.TCPSocketAction"},"terminationGracePeriodSeconds":{"description":"Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.","type":"integer","format":"int64"},"timeoutSeconds":{"description":"Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes","type":"integer","format":"int32"}}},"io.k8s.api.core.v1.ProjectedVolumeSource":{"description":"Represents a projected volume source","type":"object","properties":{"defaultMode":{"description":"defaultMode are the mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"sources":{"description":"sources is the list of volume projections","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.VolumeProjection"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.core.v1.QuobyteVolumeSource":{"description":"Represents a Quobyte mount that lasts the lifetime of a pod. Quobyte volumes do not support ownership management or SELinux relabeling.","type":"object","required":["registry","volume"],"properties":{"group":{"description":"group to map volume access to Default is no group","type":"string"},"readOnly":{"description":"readOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false.","type":"boolean"},"registry":{"description":"registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes","type":"string"},"tenant":{"description":"tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin","type":"string"},"user":{"description":"user to map volume access to Defaults to serivceaccount user","type":"string"},"volume":{"description":"volume is a string that references an already created Quobyte volume by name.","type":"string"}}},"io.k8s.api.core.v1.RBDPersistentVolumeSource":{"description":"Represents a Rados Block Device mount that lasts the lifetime of a pod. RBD volumes support ownership management and SELinux relabeling.","type":"object","required":["monitors","image"],"properties":{"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd","type":"string"},"image":{"description":"image is the rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"keyring":{"description":"keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"monitors":{"description":"monitors is a collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"pool":{"description":"pool is the rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"boolean"},"secretRef":{"description":"secretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"},"user":{"description":"user is the rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"}}},"io.k8s.api.core.v1.RBDVolumeSource":{"description":"Represents a Rados Block Device mount that lasts the lifetime of a pod. RBD volumes support ownership management and SELinux relabeling.","type":"object","required":["monitors","image"],"properties":{"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd","type":"string"},"image":{"description":"image is the rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"keyring":{"description":"keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"monitors":{"description":"monitors is a collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"pool":{"description":"pool is the rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"boolean"},"secretRef":{"description":"secretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference"},"user":{"description":"user is the rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"}}},"io.k8s.api.core.v1.ReplicationController":{"description":"ReplicationController represents the configuration of a replication controller.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"If the Labels of a ReplicationController are empty, they are defaulted to be the same as the Pod(s) that the replication controller manages. Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines the specification of the desired behavior of the replication controller. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.ReplicationControllerSpec"},"status":{"description":"Status is the most recently observed status of the replication controller. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.ReplicationControllerStatus"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ReplicationController","version":"v1"}]},"io.k8s.api.core.v1.ReplicationControllerCondition":{"description":"ReplicationControllerCondition describes the state of a replication controller at a certain point.","type":"object","required":["type","status"],"properties":{"lastTransitionTime":{"description":"The last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type of replication controller condition.","type":"string"}}},"io.k8s.api.core.v1.ReplicationControllerList":{"description":"ReplicationControllerList is a collection of replication controllers.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of replication controllers. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationController"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ReplicationControllerList","version":"v1"}]},"io.k8s.api.core.v1.ReplicationControllerSpec":{"description":"ReplicationControllerSpec is the specification of a replication controller.","type":"object","properties":{"minReadySeconds":{"description":"Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)","type":"integer","format":"int32"},"replicas":{"description":"Replicas is the number of desired replicas. This is a pointer to distinguish between explicit zero and unspecified. Defaults to 1. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller","type":"integer","format":"int32"},"selector":{"description":"Selector is a label query over pods that should match the Replicas count. If Selector is empty, it is defaulted to the labels present on the Pod template. Label keys and values that must match in order to be controlled by this replication controller, if empty defaulted to labels on Pod template. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors","type":"object","additionalProperties":{"type":"string"},"x-kubernetes-map-type":"atomic"},"template":{"description":"Template is the object that describes the pod that will be created if insufficient replicas are detected. This takes precedence over a TemplateRef. The only allowed template.spec.restartPolicy value is \"Always\". More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template","$ref":"#/definitions/io.k8s.api.core.v1.PodTemplateSpec"}}},"io.k8s.api.core.v1.ReplicationControllerStatus":{"description":"ReplicationControllerStatus represents the current status of a replication controller.","type":"object","required":["replicas"],"properties":{"availableReplicas":{"description":"The number of available replicas (ready for at least minReadySeconds) for this replication controller.","type":"integer","format":"int32"},"conditions":{"description":"Represents the latest available observations of a replication controller's current state.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationControllerCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"fullyLabeledReplicas":{"description":"The number of pods that have labels matching the labels of the pod template of the replication controller.","type":"integer","format":"int32"},"observedGeneration":{"description":"ObservedGeneration reflects the generation of the most recently observed replication controller.","type":"integer","format":"int64"},"readyReplicas":{"description":"The number of ready replicas for this replication controller.","type":"integer","format":"int32"},"replicas":{"description":"Replicas is the most recently observed number of replicas. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller","type":"integer","format":"int32"}}},"io.k8s.api.core.v1.ResourceClaim":{"description":"ResourceClaim references one entry in PodSpec.ResourceClaims.","type":"object","required":["name"],"properties":{"name":{"description":"Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.","type":"string"}}},"io.k8s.api.core.v1.ResourceFieldSelector":{"description":"ResourceFieldSelector represents container resources (cpu, memory) and their output format","type":"object","required":["resource"],"properties":{"containerName":{"description":"Container name: required for volumes, optional for env vars","type":"string"},"divisor":{"description":"Specifies the output format of the exposed resources, defaults to \"1\"","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"resource":{"description":"Required: resource to select","type":"string"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.core.v1.ResourceQuota":{"description":"ResourceQuota sets aggregate quota restrictions enforced per namespace","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines the desired quota. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuotaSpec"},"status":{"description":"Status defines the actual enforced quota and its current usage. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuotaStatus"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ResourceQuota","version":"v1"}]},"io.k8s.api.core.v1.ResourceQuotaList":{"description":"ResourceQuotaList is a list of ResourceQuota items.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is a list of ResourceQuota objects. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ResourceQuotaList","version":"v1"}]},"io.k8s.api.core.v1.ResourceQuotaSpec":{"description":"ResourceQuotaSpec defines the desired hard limits to enforce for Quota.","type":"object","properties":{"hard":{"description":"hard is the set of desired hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"scopeSelector":{"description":"scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.","$ref":"#/definitions/io.k8s.api.core.v1.ScopeSelector"},"scopes":{"description":"A collection of filters that must match each object tracked by a quota. If not specified, the quota matches all objects.","type":"array","items":{"type":"string","enum":["BestEffort","CrossNamespacePodAffinity","NotBestEffort","NotTerminating","PriorityClass","Terminating"]},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.core.v1.ResourceQuotaStatus":{"description":"ResourceQuotaStatus defines the enforced hard limits and observed use.","type":"object","properties":{"hard":{"description":"Hard is the set of enforced hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"used":{"description":"Used is the current observed total usage of the resource in the namespace.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}}}},"io.k8s.api.core.v1.ResourceRequirements":{"description":"ResourceRequirements describes the compute resource requirements.","type":"object","properties":{"claims":{"description":"Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.\n\nThis is an alpha field and requires enabling the DynamicResourceAllocation feature gate.\n\nThis field is immutable. It can only be set for containers.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceClaim"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"},"limits":{"description":"Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"requests":{"description":"Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}}}},"io.k8s.api.core.v1.SELinuxOptions":{"description":"SELinuxOptions are the labels to be applied to the container","type":"object","properties":{"level":{"description":"Level is SELinux level label that applies to the container.","type":"string"},"role":{"description":"Role is a SELinux role label that applies to the container.","type":"string"},"type":{"description":"Type is a SELinux type label that applies to the container.","type":"string"},"user":{"description":"User is a SELinux user label that applies to the container.","type":"string"}}},"io.k8s.api.core.v1.ScaleIOPersistentVolumeSource":{"description":"ScaleIOPersistentVolumeSource represents a persistent ScaleIO volume","type":"object","required":["gateway","system","secretRef"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Default is \"xfs\"","type":"string"},"gateway":{"description":"gateway is the host address of the ScaleIO API Gateway.","type":"string"},"protectionDomain":{"description":"protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail.","$ref":"#/definitions/io.k8s.api.core.v1.SecretReference"},"sslEnabled":{"description":"sslEnabled is the flag to enable/disable SSL communication with Gateway, default false","type":"boolean"},"storageMode":{"description":"storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned.","type":"string"},"storagePool":{"description":"storagePool is the ScaleIO Storage Pool associated with the protection domain.","type":"string"},"system":{"description":"system is the name of the storage system as configured in ScaleIO.","type":"string"},"volumeName":{"description":"volumeName is the name of a volume already created in the ScaleIO system that is associated with this volume source.","type":"string"}}},"io.k8s.api.core.v1.ScaleIOVolumeSource":{"description":"ScaleIOVolumeSource represents a persistent ScaleIO volume","type":"object","required":["gateway","system","secretRef"],"properties":{"fsType":{"description":"fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Default is \"xfs\".","type":"string"},"gateway":{"description":"gateway is the host address of the ScaleIO API Gateway.","type":"string"},"protectionDomain":{"description":"protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.","type":"string"},"readOnly":{"description":"readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail.","$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference"},"sslEnabled":{"description":"sslEnabled Flag enable/disable SSL communication with Gateway, default false","type":"boolean"},"storageMode":{"description":"storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned.","type":"string"},"storagePool":{"description":"storagePool is the ScaleIO Storage Pool associated with the protection domain.","type":"string"},"system":{"description":"system is the name of the storage system as configured in ScaleIO.","type":"string"},"volumeName":{"description":"volumeName is the name of a volume already created in the ScaleIO system that is associated with this volume source.","type":"string"}}},"io.k8s.api.core.v1.ScopeSelector":{"description":"A scope selector represents the AND of the selectors represented by the scoped-resource selector requirements.","type":"object","properties":{"matchExpressions":{"description":"A list of scope selector requirements by scope of the resources.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ScopedResourceSelectorRequirement"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.core.v1.ScopedResourceSelectorRequirement":{"description":"A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator that relates the scope name and values.","type":"object","required":["scopeName","operator"],"properties":{"operator":{"description":"Represents a scope's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist.\n\nPossible enum values:\n - `\"DoesNotExist\"`\n - `\"Exists\"`\n - `\"In\"`\n - `\"NotIn\"`","type":"string","enum":["DoesNotExist","Exists","In","NotIn"]},"scopeName":{"description":"The name of the scope that the selector applies to.\n\nPossible enum values:\n - `\"BestEffort\"` Match all pod objects that have best effort quality of service\n - `\"CrossNamespacePodAffinity\"` Match all pod objects that have cross-namespace pod (anti)affinity mentioned.\n - `\"NotBestEffort\"` Match all pod objects that do not have best effort quality of service\n - `\"NotTerminating\"` Match all pod objects where spec.activeDeadlineSeconds is nil\n - `\"PriorityClass\"` Match all pod objects that have priority class mentioned\n - `\"Terminating\"` Match all pod objects where spec.activeDeadlineSeconds >=0","type":"string","enum":["BestEffort","CrossNamespacePodAffinity","NotBestEffort","NotTerminating","PriorityClass","Terminating"]},"values":{"description":"An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.core.v1.SeccompProfile":{"description":"SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set.","type":"object","required":["type"],"properties":{"localhostProfile":{"description":"localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must be set if type is \"Localhost\". Must NOT be set for any other type.","type":"string"},"type":{"description":"type indicates which kind of seccomp profile will be applied. Valid options are:\n\nLocalhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.\n\nPossible enum values:\n - `\"Localhost\"` indicates a profile defined in a file on the node should be used. The file's location relative to /seccomp.\n - `\"RuntimeDefault\"` represents the default container runtime seccomp profile.\n - `\"Unconfined\"` indicates no seccomp profile is applied (A.K.A. unconfined).","type":"string","enum":["Localhost","RuntimeDefault","Unconfined"]}},"x-kubernetes-unions":[{"discriminator":"type","fields-to-discriminateBy":{"localhostProfile":"LocalhostProfile"}}]},"io.k8s.api.core.v1.Secret":{"description":"Secret holds secret data of a certain type. The total bytes of the values in the Data field must be less than MaxSecretSize bytes.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"data":{"description":"Data contains the secret data. Each key must consist of alphanumeric characters, '-', '_' or '.'. The serialized form of the secret data is a base64 encoded string, representing the arbitrary (possibly non-string) data value here. Described in https://tools.ietf.org/html/rfc4648#section-4","type":"object","additionalProperties":{"type":"string","format":"byte"}},"immutable":{"description":"Immutable, if set to true, ensures that data stored in the Secret cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil.","type":"boolean"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"stringData":{"description":"stringData allows specifying non-binary secret data in string form. It is provided as a write-only input field for convenience. All keys and values are merged into the data field on write, overwriting any existing values. The stringData field is never output when reading from the API.","type":"object","additionalProperties":{"type":"string"}},"type":{"description":"Used to facilitate programmatic handling of secret data. More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types","type":"string"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"Secret","version":"v1"}]},"io.k8s.api.core.v1.SecretEnvSource":{"description":"SecretEnvSource selects a Secret to populate the environment variables with.\n\nThe contents of the target Secret's Data field will represent the key-value pairs as environment variables.","type":"object","properties":{"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret must be defined","type":"boolean"}}},"io.k8s.api.core.v1.SecretKeySelector":{"description":"SecretKeySelector selects a key of a Secret.","type":"object","required":["key"],"properties":{"key":{"description":"The key of the secret to select from. Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.core.v1.SecretList":{"description":"SecretList is a list of Secret.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is a list of secret objects. More info: https://kubernetes.io/docs/concepts/configuration/secret","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Secret"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"SecretList","version":"v1"}]},"io.k8s.api.core.v1.SecretProjection":{"description":"Adapts a secret into a projected volume.\n\nThe contents of the target Secret's Data field will be presented in a projected volume as files using the keys in the Data field as the file names. Note that this is identical to a secret volume source without the default mode.","type":"object","properties":{"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.KeyToPath"},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"optional field specify whether the Secret or its key must be defined","type":"boolean"}}},"io.k8s.api.core.v1.SecretReference":{"description":"SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace","type":"object","properties":{"name":{"description":"name is unique within a namespace to reference a secret resource.","type":"string"},"namespace":{"description":"namespace defines the space within which the secret name must be unique.","type":"string"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.core.v1.SecretVolumeSource":{"description":"Adapts a Secret into a volume.\n\nThe contents of the target Secret's Data field will be presented in a volume as files using the keys in the Data field as the file names. Secret volumes support ownership management and SELinux relabeling.","type":"object","properties":{"defaultMode":{"description":"defaultMode is Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.","type":"integer","format":"int32"},"items":{"description":"items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.KeyToPath"},"x-kubernetes-list-type":"atomic"},"optional":{"description":"optional field specify whether the Secret or its keys must be defined","type":"boolean"},"secretName":{"description":"secretName is the name of the secret in the pod's namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret","type":"string"}}},"io.k8s.api.core.v1.SecurityContext":{"description":"SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.","type":"object","properties":{"allowPrivilegeEscalation":{"description":"AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.","type":"boolean"},"appArmorProfile":{"description":"appArmorProfile is the AppArmor options to use by this container. If set, this profile overrides the pod's appArmorProfile. Note that this field cannot be set when spec.os.name is windows.","$ref":"#/definitions/io.k8s.api.core.v1.AppArmorProfile"},"capabilities":{"description":"The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows.","$ref":"#/definitions/io.k8s.api.core.v1.Capabilities"},"privileged":{"description":"Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.","type":"boolean"},"procMount":{"description":"procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.\n\nPossible enum values:\n - `\"Default\"` uses the container runtime defaults for readonly and masked paths for /proc. Most container runtimes mask certain paths in /proc to avoid accidental security exposure of special devices or information.\n - `\"Unmasked\"` bypasses the default masking behavior of the container runtime and ensures the newly created /proc the container stays in tact with no modifications.","type":"string","enum":["Default","Unmasked"]},"readOnlyRootFilesystem":{"description":"Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.","type":"boolean"},"runAsGroup":{"description":"The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"runAsNonRoot":{"description":"Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.","type":"boolean"},"runAsUser":{"description":"The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.","type":"integer","format":"int64"},"seLinuxOptions":{"description":"The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.","$ref":"#/definitions/io.k8s.api.core.v1.SELinuxOptions"},"seccompProfile":{"description":"The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows.","$ref":"#/definitions/io.k8s.api.core.v1.SeccompProfile"},"windowsOptions":{"description":"The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.","$ref":"#/definitions/io.k8s.api.core.v1.WindowsSecurityContextOptions"}}},"io.k8s.api.core.v1.Service":{"description":"Service is a named abstraction of software service (for example, mysql) consisting of local port (for example 3306) that the proxy listens on, and the selector that determines which pods will answer requests sent through the proxy.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines the behavior of a service. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.ServiceSpec"},"status":{"description":"Most recently observed status of the service. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.core.v1.ServiceStatus"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"Service","version":"v1"}]},"io.k8s.api.core.v1.ServiceAccount":{"description":"ServiceAccount binds together: * a name, understood by users, and perhaps by peripheral systems, for an identity * a principal that can be authenticated and authorized * a set of secrets","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"automountServiceAccountToken":{"description":"AutomountServiceAccountToken indicates whether pods running as this service account should have an API token automatically mounted. Can be overridden at the pod level.","type":"boolean"},"imagePullSecrets":{"description":"ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet. More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference"},"x-kubernetes-list-type":"atomic"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"secrets":{"description":"Secrets is a list of the secrets in the same namespace that pods running using this ServiceAccount are allowed to use. Pods are only limited to this list if this service account has a \"kubernetes.io/enforce-mountable-secrets\" annotation set to \"true\". This field should not be used to find auto-generated service account token secrets for use outside of pods. Instead, tokens can be requested directly using the TokenRequest API, or service account token secrets can be manually created. More info: https://kubernetes.io/docs/concepts/configuration/secret","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ServiceAccount","version":"v1"}]},"io.k8s.api.core.v1.ServiceAccountList":{"description":"ServiceAccountList is a list of ServiceAccount objects","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of ServiceAccounts. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ServiceAccount"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ServiceAccountList","version":"v1"}]},"io.k8s.api.core.v1.ServiceAccountTokenProjection":{"description":"ServiceAccountTokenProjection represents a projected service account token volume. This projection can be used to insert a service account token into the pods runtime filesystem for use against APIs (Kubernetes API Server or otherwise).","type":"object","required":["path"],"properties":{"audience":{"description":"audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver.","type":"string"},"expirationSeconds":{"description":"expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes.","type":"integer","format":"int64"},"path":{"description":"path is the path relative to the mount point of the file to project the token into.","type":"string"}}},"io.k8s.api.core.v1.ServiceList":{"description":"ServiceList holds a list of services.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of services","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"ServiceList","version":"v1"}]},"io.k8s.api.core.v1.ServicePort":{"description":"ServicePort contains information on service's port.","type":"object","required":["port"],"properties":{"appProtocol":{"description":"The application protocol for this port. This is used as a hint for implementations to offer richer behavior for protocols that they understand. This field follows standard Kubernetes label syntax. Valid values are either:\n\n* Un-prefixed protocol names - reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names).\n\n* Kubernetes-defined prefixed names:\n * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-\n * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455\n * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455\n\n* Other protocols should use implementation-defined prefixed names such as mycompany.com/my-custom-protocol.","type":"string"},"name":{"description":"The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. Optional if only one ServicePort is defined on this service.","type":"string"},"nodePort":{"description":"The port on each node on which this service is exposed when type is NodePort or LoadBalancer. Usually assigned by the system. If a value is specified, in-range, and not in use it will be used, otherwise the operation will fail. If not specified, a port will be allocated if this Service requires one. If this field is specified when creating a Service which does not need it, creation will fail. This field will be wiped when updating a Service to no longer need it (e.g. changing type from NodePort to ClusterIP). More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport","type":"integer","format":"int32"},"port":{"description":"The port that will be exposed by this service.","type":"integer","format":"int32"},"protocol":{"description":"The IP protocol for this port. Supports \"TCP\", \"UDP\", and \"SCTP\". Default is TCP.\n\nPossible enum values:\n - `\"SCTP\"` is the SCTP protocol.\n - `\"TCP\"` is the TCP protocol.\n - `\"UDP\"` is the UDP protocol.","type":"string","enum":["SCTP","TCP","UDP"]},"targetPort":{"description":"Number or name of the port to access on the pods targeted by the service. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. If this is a string, it will be looked up as a named port in the target Pod's container ports. If this is not specified, the value of the 'port' field is used (an identity map). This field is ignored for services with clusterIP=None, and should be omitted or set equal to the 'port' field. More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"}}},"io.k8s.api.core.v1.ServiceSpec":{"description":"ServiceSpec describes the attributes that a user creates on a service.","type":"object","properties":{"allocateLoadBalancerNodePorts":{"description":"allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer. Default is \"true\". It may be set to \"false\" if the cluster load-balancer does not rely on NodePorts. If the caller requests specific NodePorts (by specifying a value), those requests will be respected, regardless of this field. This field may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type.","type":"boolean"},"clusterIP":{"description":"clusterIP is the IP address of the service and is usually assigned randomly. If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be blank) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above). Valid values are \"None\", empty string (\"\"), or a valid IP address. Setting this to \"None\" makes a \"headless service\" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required. Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies","type":"string"},"clusterIPs":{"description":"ClusterIPs is a list of IP addresses assigned to this service, and are usually assigned randomly. If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be empty) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above). Valid values are \"None\", empty string (\"\"), or a valid IP address. Setting this to \"None\" makes a \"headless service\" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required. Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName. If this field is not specified, it will be initialized from the clusterIP field. If this field is specified, clients must ensure that clusterIPs[0] and clusterIP have the same value.\n\nThis field may hold a maximum of two entries (dual-stack IPs, in either order). These IPs must correspond to the values of the ipFamilies field. Both clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"externalIPs":{"description":"externalIPs is a list of IP addresses for which nodes in the cluster will also accept traffic for this service. These IPs are not managed by Kubernetes. The user is responsible for ensuring that traffic arrives at a node with this IP. A common example is external load-balancers that are not part of the Kubernetes system.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"externalName":{"description":"externalName is the external reference that discovery mechanisms will return as an alias for this service (e.g. a DNS CNAME record). No proxying will be involved. Must be a lowercase RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) and requires `type` to be \"ExternalName\".","type":"string"},"externalTrafficPolicy":{"description":"externalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service's \"externally-facing\" addresses (NodePorts, ExternalIPs, and LoadBalancer IPs). If set to \"Local\", the proxy will configure the service in a way that assumes that external load balancers will take care of balancing the service traffic between nodes, and so each node will deliver traffic only to the node-local endpoints of the service, without masquerading the client source IP. (Traffic mistakenly sent to a node with no endpoints will be dropped.) The default value, \"Cluster\", uses the standard behavior of routing to all endpoints evenly (possibly modified by topology and other features). Note that traffic sent to an External IP or LoadBalancer IP from within the cluster will always get \"Cluster\" semantics, but clients sending to a NodePort from within the cluster may need to take traffic policy into account when picking a node.\n\nPossible enum values:\n - `\"Cluster\"` routes traffic to all endpoints.\n - `\"Local\"` preserves the source IP of the traffic by routing only to endpoints on the same node as the traffic was received on (dropping the traffic if there are no local endpoints).","type":"string","enum":["Cluster","Local"]},"healthCheckNodePort":{"description":"healthCheckNodePort specifies the healthcheck nodePort for the service. This only applies when type is set to LoadBalancer and externalTrafficPolicy is set to Local. If a value is specified, is in-range, and is not in use, it will be used. If not specified, a value will be automatically allocated. External systems (e.g. load-balancers) can use this port to determine if a given node holds endpoints for this service or not. If this field is specified when creating a Service which does not need it, creation will fail. This field will be wiped when updating a Service to no longer need it (e.g. changing type). This field cannot be updated once set.","type":"integer","format":"int32"},"internalTrafficPolicy":{"description":"InternalTrafficPolicy describes how nodes distribute service traffic they receive on the ClusterIP. If set to \"Local\", the proxy will assume that pods only want to talk to endpoints of the service on the same node as the pod, dropping the traffic if there are no local endpoints. The default value, \"Cluster\", uses the standard behavior of routing to all endpoints evenly (possibly modified by topology and other features).\n\nPossible enum values:\n - `\"Cluster\"` routes traffic to all endpoints.\n - `\"Local\"` routes traffic only to endpoints on the same node as the client pod (dropping the traffic if there are no local endpoints).","type":"string","enum":["Cluster","Local"]},"ipFamilies":{"description":"IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. If this field is specified manually, the requested family is available in the cluster, and ipFamilyPolicy allows it, it will be used; otherwise creation of the service will fail. This field is conditionally mutable: it allows for adding or removing a secondary IP family, but it does not allow changing the primary IP family of the Service. Valid values are \"IPv4\" and \"IPv6\". This field only applies to Services of types ClusterIP, NodePort, and LoadBalancer, and does apply to \"headless\" services. This field will be wiped when updating a Service to type ExternalName.\n\nThis field may hold a maximum of two entries (dual-stack families, in either order). These families must correspond to the values of the clusterIPs field, if specified. Both clusterIPs and ipFamilies are governed by the ipFamilyPolicy field.","type":"array","items":{"type":"string","enum":["","IPv4","IPv6"]},"x-kubernetes-list-type":"atomic"},"ipFamilyPolicy":{"description":"IPFamilyPolicy represents the dual-stack-ness requested or required by this Service. If there is no value provided, then this field will be set to SingleStack. Services can be \"SingleStack\" (a single IP family), \"PreferDualStack\" (two IP families on dual-stack configured clusters or a single IP family on single-stack clusters), or \"RequireDualStack\" (two IP families on dual-stack configured clusters, otherwise fail). The ipFamilies and clusterIPs fields depend on the value of this field. This field will be wiped when updating a service to type ExternalName.\n\nPossible enum values:\n - `\"PreferDualStack\"` indicates that this service prefers dual-stack when the cluster is configured for dual-stack. If the cluster is not configured for dual-stack the service will be assigned a single IPFamily. If the IPFamily is not set in service.spec.ipFamilies then the service will be assigned the default IPFamily configured on the cluster\n - `\"RequireDualStack\"` indicates that this service requires dual-stack. Using IPFamilyPolicyRequireDualStack on a single stack cluster will result in validation errors. The IPFamilies (and their order) assigned to this service is based on service.spec.ipFamilies. If service.spec.ipFamilies was not provided then it will be assigned according to how they are configured on the cluster. If service.spec.ipFamilies has only one entry then the alternative IPFamily will be added by apiserver\n - `\"SingleStack\"` indicates that this service is required to have a single IPFamily. The IPFamily assigned is based on the default IPFamily used by the cluster or as identified by service.spec.ipFamilies field","type":"string","enum":["PreferDualStack","RequireDualStack","SingleStack"]},"loadBalancerClass":{"description":"loadBalancerClass is the class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix, e.g. \"internal-vip\" or \"example.com/internal-vip\". Unprefixed names are reserved for end-users. This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load balancer implementation is used, today this is typically done through the cloud provider integration, but should apply for any default implementation. If set, it is assumed that a load balancer implementation is watching for Services with a matching class. Any default load balancer implementation (e.g. cloud providers) should ignore Services that set this field. This field can only be set when creating or updating a Service to type 'LoadBalancer'. Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type.","type":"string"},"loadBalancerIP":{"description":"Only applies to Service Type: LoadBalancer. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature. Deprecated: This field was under-specified and its meaning varies across implementations. Using it is non-portable and it may not support dual-stack. Users are encouraged to use implementation-specific annotations when available.","type":"string"},"loadBalancerSourceRanges":{"description":"If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature.\" More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"ports":{"description":"The list of ports that are exposed by this service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ServicePort"},"x-kubernetes-list-map-keys":["port","protocol"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"port","x-kubernetes-patch-strategy":"merge"},"publishNotReadyAddresses":{"description":"publishNotReadyAddresses indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready. The primary use case for setting this field is for a StatefulSet's Headless Service to propagate SRV DNS records for its Pods for the purpose of peer discovery. The Kubernetes controllers that generate Endpoints and EndpointSlice resources for Services interpret this to mean that all endpoints are considered \"ready\" even if the Pods themselves are not. Agents which consume only Kubernetes generated endpoints through the Endpoints or EndpointSlice resources can safely assume this behavior.","type":"boolean"},"selector":{"description":"Route service traffic to pods with label keys and values matching this selector. If empty or not present, the service is assumed to have an external process managing its endpoints, which Kubernetes will not modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/","type":"object","additionalProperties":{"type":"string"},"x-kubernetes-map-type":"atomic"},"sessionAffinity":{"description":"Supports \"ClientIP\" and \"None\". Used to maintain session affinity. Enable client IP based session affinity. Must be ClientIP or None. Defaults to None. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies\n\nPossible enum values:\n - `\"ClientIP\"` is the Client IP based.\n - `\"None\"` - no session affinity.","type":"string","enum":["ClientIP","None"]},"sessionAffinityConfig":{"description":"sessionAffinityConfig contains the configurations of session affinity.","$ref":"#/definitions/io.k8s.api.core.v1.SessionAffinityConfig"},"trafficDistribution":{"description":"TrafficDistribution offers a way to express preferences for how traffic is distributed to Service endpoints. Implementations can use this field as a hint, but are not required to guarantee strict adherence. If the field is not set, the implementation will apply its default routing strategy. If set to \"PreferClose\", implementations should prioritize endpoints that are topologically close (e.g., same zone). This is an alpha field and requires enabling ServiceTrafficDistribution feature.","type":"string"},"type":{"description":"type determines how the Service is exposed. Defaults to ClusterIP. Valid options are ExternalName, ClusterIP, NodePort, and LoadBalancer. \"ClusterIP\" allocates a cluster-internal IP address for load-balancing to endpoints. Endpoints are determined by the selector or if that is not specified, by manual construction of an Endpoints object or EndpointSlice objects. If clusterIP is \"None\", no virtual IP is allocated and the endpoints are published as a set of endpoints rather than a virtual IP. \"NodePort\" builds on ClusterIP and allocates a port on every node which routes to the same endpoints as the clusterIP. \"LoadBalancer\" builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the same endpoints as the clusterIP. \"ExternalName\" aliases this service to the specified externalName. Several other fields do not apply to ExternalName services. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types\n\nPossible enum values:\n - `\"ClusterIP\"` means a service will only be accessible inside the cluster, via the cluster IP.\n - `\"ExternalName\"` means a service consists of only a reference to an external name that kubedns or equivalent will return as a CNAME record, with no exposing or proxying of any pods involved.\n - `\"LoadBalancer\"` means a service will be exposed via an external load balancer (if the cloud provider supports it), in addition to 'NodePort' type.\n - `\"NodePort\"` means a service will be exposed on one port of every node, in addition to 'ClusterIP' type.","type":"string","enum":["ClusterIP","ExternalName","LoadBalancer","NodePort"]}}},"io.k8s.api.core.v1.ServiceStatus":{"description":"ServiceStatus represents the current status of a service.","type":"object","properties":{"conditions":{"description":"Current service state","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"loadBalancer":{"description":"LoadBalancer contains the current status of the load-balancer, if one is present.","$ref":"#/definitions/io.k8s.api.core.v1.LoadBalancerStatus"}}},"io.k8s.api.core.v1.SessionAffinityConfig":{"description":"SessionAffinityConfig represents the configurations of session affinity.","type":"object","properties":{"clientIP":{"description":"clientIP contains the configurations of Client IP based session affinity.","$ref":"#/definitions/io.k8s.api.core.v1.ClientIPConfig"}}},"io.k8s.api.core.v1.SleepAction":{"description":"SleepAction describes a \"sleep\" action.","type":"object","required":["seconds"],"properties":{"seconds":{"description":"Seconds is the number of seconds to sleep.","type":"integer","format":"int64"}}},"io.k8s.api.core.v1.StorageOSPersistentVolumeSource":{"description":"Represents a StorageOS persistent volume resource.","type":"object","properties":{"fsType":{"description":"fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef specifies the secret to use for obtaining the StorageOS API credentials. If not specified, default values will be attempted.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"},"volumeName":{"description":"volumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace.","type":"string"},"volumeNamespace":{"description":"volumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod's namespace will be used. This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to \"default\" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.","type":"string"}}},"io.k8s.api.core.v1.StorageOSVolumeSource":{"description":"Represents a StorageOS persistent volume resource.","type":"object","properties":{"fsType":{"description":"fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"description":"secretRef specifies the secret to use for obtaining the StorageOS API credentials. If not specified, default values will be attempted.","$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference"},"volumeName":{"description":"volumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace.","type":"string"},"volumeNamespace":{"description":"volumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod's namespace will be used. This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to \"default\" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.","type":"string"}}},"io.k8s.api.core.v1.Sysctl":{"description":"Sysctl defines a kernel parameter to be set","type":"object","required":["name","value"],"properties":{"name":{"description":"Name of a property to set","type":"string"},"value":{"description":"Value of a property to set","type":"string"}}},"io.k8s.api.core.v1.TCPSocketAction":{"description":"TCPSocketAction describes an action based on opening a socket","type":"object","required":["port"],"properties":{"host":{"description":"Optional: Host name to connect to, defaults to the pod IP.","type":"string"},"port":{"description":"Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"}}},"io.k8s.api.core.v1.Taint":{"description":"The node this Taint is attached to has the \"effect\" on any pod that does not tolerate the Taint.","type":"object","required":["key","effect"],"properties":{"effect":{"description":"Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the taint. Currently enforced by NodeController.\n - `\"NoSchedule\"` Do not allow new pods to schedule onto the node unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running. Enforced by the scheduler.\n - `\"PreferNoSchedule\"` Like TaintEffectNoSchedule, but the scheduler tries not to schedule new pods onto the node, rather than prohibiting new pods from scheduling onto the node entirely. Enforced by the scheduler.","type":"string","enum":["NoExecute","NoSchedule","PreferNoSchedule"]},"key":{"description":"Required. The taint key to be applied to a node.","type":"string"},"timeAdded":{"description":"TimeAdded represents the time at which the taint was added. It is only written for NoExecute taints.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"value":{"description":"The taint value corresponding to the taint key.","type":"string"}}},"io.k8s.api.core.v1.Toleration":{"description":"The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator .","type":"object","properties":{"effect":{"description":"Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.\n\nPossible enum values:\n - `\"NoExecute\"` Evict any already-running pods that do not tolerate the taint. Currently enforced by NodeController.\n - `\"NoSchedule\"` Do not allow new pods to schedule onto the node unless they tolerate the taint, but allow all pods submitted to Kubelet without going through the scheduler to start, and allow all already-running pods to continue running. Enforced by the scheduler.\n - `\"PreferNoSchedule\"` Like TaintEffectNoSchedule, but the scheduler tries not to schedule new pods onto the node, rather than prohibiting new pods from scheduling onto the node entirely. Enforced by the scheduler.","type":"string","enum":["NoExecute","NoSchedule","PreferNoSchedule"]},"key":{"description":"Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.","type":"string"},"operator":{"description":"Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.\n\nPossible enum values:\n - `\"Equal\"`\n - `\"Exists\"`","type":"string","enum":["Equal","Exists"]},"tolerationSeconds":{"description":"TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.","type":"integer","format":"int64"},"value":{"description":"Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.","type":"string"}}},"io.k8s.api.core.v1.TopologySelectorLabelRequirement":{"description":"A topology selector requirement is a selector that matches given label. This is an alpha feature and may change in the future.","type":"object","required":["key","values"],"properties":{"key":{"description":"The label key that the selector applies to.","type":"string"},"values":{"description":"An array of string values. One value must match the label to be selected. Each entry in Values is ORed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.core.v1.TopologySelectorTerm":{"description":"A topology selector term represents the result of label queries. A null or empty topology selector term matches no objects. The requirements of them are ANDed. It provides a subset of functionality as NodeSelectorTerm. This is an alpha feature and may change in the future.","type":"object","properties":{"matchLabelExpressions":{"description":"A list of topology selector requirements by labels.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.TopologySelectorLabelRequirement"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.core.v1.TopologySpreadConstraint":{"description":"TopologySpreadConstraint specifies how to spread matching pods among the given topology.","type":"object","required":["maxSkew","topologyKey","whenUnsatisfiable"],"properties":{"labelSelector":{"description":"LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the incoming pod labels, those key-value labels are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. MatchLabelKeys cannot be set when LabelSelector isn't set. Keys that don't exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector.\n\nThis is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"maxSkew":{"description":"MaxSkew describes the degree to which pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference between the number of matching pods in the target topology and the global minimum. The global minimum is the minimum number of matching pods in an eligible domain or zero if the number of eligible domains is less than MinDomains. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 2/2/1: In this case, the global minimum is 1. | zone1 | zone2 | zone3 | | P P | P P | P | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence to topologies that satisfy it. It's a required field. Default value is 1 and 0 is not allowed.","type":"integer","format":"int32"},"minDomains":{"description":"MinDomains indicates a minimum number of eligible domains. When the number of eligible domains with matching topology keys is less than minDomains, Pod Topology Spread treats \"global minimum\" as 0, and then the calculation of Skew is performed. And when the number of eligible domains with matching topology keys equals or greater than minDomains, this value has no effect on scheduling. As a result, when the number of eligible domains is less than minDomains, scheduler won't schedule more than maxSkew Pods to those domains. If value is nil, the constraint behaves as if MinDomains is equal to 1. Valid values are integers greater than 0. When value is not nil, WhenUnsatisfiable must be DoNotSchedule.\n\nFor example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same labelSelector spread as 2/2/2: | zone1 | zone2 | zone3 | | P P | P P | P P | The number of domains is less than 5(MinDomains), so \"global minimum\" is treated as 0. In this situation, new pod with the same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it will violate MaxSkew.","type":"integer","format":"int32"},"nodeAffinityPolicy":{"description":"NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.\n\nIf this value is nil, the behavior is equivalent to the Honor policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.\n\nPossible enum values:\n - `\"Honor\"` means use this scheduling directive when calculating pod topology spread skew.\n - `\"Ignore\"` means ignore this scheduling directive when calculating pod topology spread skew.","type":"string","enum":["Honor","Ignore"]},"nodeTaintsPolicy":{"description":"NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included. - Ignore: node taints are ignored. All nodes are included.\n\nIf this value is nil, the behavior is equivalent to the Ignore policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.\n\nPossible enum values:\n - `\"Honor\"` means use this scheduling directive when calculating pod topology spread skew.\n - `\"Ignore\"` means ignore this scheduling directive when calculating pod topology spread skew.","type":"string","enum":["Honor","Ignore"]},"topologyKey":{"description":"TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each as a \"bucket\", and try to put balanced number of pods into each bucket. We define a domain as a particular instance of a topology. Also, we define an eligible domain as a domain whose nodes meet the requirements of nodeAffinityPolicy and nodeTaintsPolicy. e.g. If TopologyKey is \"kubernetes.io/hostname\", each Node is a domain of that topology. And, if TopologyKey is \"topology.kubernetes.io/zone\", each zone is a domain of that topology. It's a required field.","type":"string"},"whenUnsatisfiable":{"description":"WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any location,\n but giving higher precedence to topologies that would help reduce the\n skew.\nA constraint is considered \"Unsatisfiable\" for an incoming pod if and only if every possible node assignment for that pod would violate \"MaxSkew\" on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won't make it *more* imbalanced. It's a required field.\n\nPossible enum values:\n - `\"DoNotSchedule\"` instructs the scheduler not to schedule the pod when constraints are not satisfied.\n - `\"ScheduleAnyway\"` instructs the scheduler to schedule the pod even if constraints are not satisfied.","type":"string","enum":["DoNotSchedule","ScheduleAnyway"]}}},"io.k8s.api.core.v1.TypedLocalObjectReference":{"description":"TypedLocalObjectReference contains enough information to let you locate the typed referenced object inside the same namespace.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.core.v1.TypedObjectReference":{"type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"},"namespace":{"description":"Namespace is the namespace of resource being referenced Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.","type":"string"}}},"io.k8s.api.core.v1.Volume":{"description":"Volume represents a named volume in a pod that may be accessed by any container in the pod.","type":"object","required":["name"],"properties":{"awsElasticBlockStore":{"description":"awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","$ref":"#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource"},"azureDisk":{"description":"azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.","$ref":"#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource"},"azureFile":{"description":"azureFile represents an Azure File Service mount on the host and bind mount to the pod.","$ref":"#/definitions/io.k8s.api.core.v1.AzureFileVolumeSource"},"cephfs":{"description":"cephFS represents a Ceph FS mount on the host that shares a pod's lifetime","$ref":"#/definitions/io.k8s.api.core.v1.CephFSVolumeSource"},"cinder":{"description":"cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md","$ref":"#/definitions/io.k8s.api.core.v1.CinderVolumeSource"},"configMap":{"description":"configMap represents a configMap that should populate this volume","$ref":"#/definitions/io.k8s.api.core.v1.ConfigMapVolumeSource"},"csi":{"description":"csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature).","$ref":"#/definitions/io.k8s.api.core.v1.CSIVolumeSource"},"downwardAPI":{"description":"downwardAPI represents downward API about the pod that should populate this volume","$ref":"#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeSource"},"emptyDir":{"description":"emptyDir represents a temporary directory that shares a pod's lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir","$ref":"#/definitions/io.k8s.api.core.v1.EmptyDirVolumeSource"},"ephemeral":{"description":"ephemeral represents a volume that is handled by a cluster storage driver. The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, and deleted when the pod is removed.\n\nUse this if: a) the volume is only needed while the pod runs, b) features of normal volumes like restoring from snapshot or capacity\n tracking are needed,\nc) the storage driver is specified through a storage class, and d) the storage driver supports dynamic volume provisioning through\n a PersistentVolumeClaim (see EphemeralVolumeSource for more\n information on the connection between this volume type\n and PersistentVolumeClaim).\n\nUse PersistentVolumeClaim or one of the vendor-specific APIs for volumes that persist for longer than the lifecycle of an individual pod.\n\nUse CSI for light-weight local ephemeral volumes if the CSI driver is meant to be used that way - see the documentation of the driver for more information.\n\nA pod can use both types of ephemeral volumes and persistent volumes at the same time.","$ref":"#/definitions/io.k8s.api.core.v1.EphemeralVolumeSource"},"fc":{"description":"fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.","$ref":"#/definitions/io.k8s.api.core.v1.FCVolumeSource"},"flexVolume":{"description":"flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin.","$ref":"#/definitions/io.k8s.api.core.v1.FlexVolumeSource"},"flocker":{"description":"flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running","$ref":"#/definitions/io.k8s.api.core.v1.FlockerVolumeSource"},"gcePersistentDisk":{"description":"gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk","$ref":"#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource"},"gitRepo":{"description":"gitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container.","$ref":"#/definitions/io.k8s.api.core.v1.GitRepoVolumeSource"},"glusterfs":{"description":"glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md","$ref":"#/definitions/io.k8s.api.core.v1.GlusterfsVolumeSource"},"hostPath":{"description":"hostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath","$ref":"#/definitions/io.k8s.api.core.v1.HostPathVolumeSource"},"iscsi":{"description":"iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md","$ref":"#/definitions/io.k8s.api.core.v1.ISCSIVolumeSource"},"name":{"description":"name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"nfs":{"description":"nfs represents an NFS mount on the host that shares a pod's lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs","$ref":"#/definitions/io.k8s.api.core.v1.NFSVolumeSource"},"persistentVolumeClaim":{"description":"persistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimVolumeSource"},"photonPersistentDisk":{"description":"photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine","$ref":"#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource"},"portworxVolume":{"description":"portworxVolume represents a portworx volume attached and mounted on kubelets host machine","$ref":"#/definitions/io.k8s.api.core.v1.PortworxVolumeSource"},"projected":{"description":"projected items for all in one resources secrets, configmaps, and downward API","$ref":"#/definitions/io.k8s.api.core.v1.ProjectedVolumeSource"},"quobyte":{"description":"quobyte represents a Quobyte mount on the host that shares a pod's lifetime","$ref":"#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource"},"rbd":{"description":"rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md","$ref":"#/definitions/io.k8s.api.core.v1.RBDVolumeSource"},"scaleIO":{"description":"scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.","$ref":"#/definitions/io.k8s.api.core.v1.ScaleIOVolumeSource"},"secret":{"description":"secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret","$ref":"#/definitions/io.k8s.api.core.v1.SecretVolumeSource"},"storageos":{"description":"storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.","$ref":"#/definitions/io.k8s.api.core.v1.StorageOSVolumeSource"},"vsphereVolume":{"description":"vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine","$ref":"#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource"}}},"io.k8s.api.core.v1.VolumeDevice":{"description":"volumeDevice describes a mapping of a raw block device within a container.","type":"object","required":["name","devicePath"],"properties":{"devicePath":{"description":"devicePath is the path inside of the container that the device will be mapped to.","type":"string"},"name":{"description":"name must match the name of a persistentVolumeClaim in the pod","type":"string"}}},"io.k8s.api.core.v1.VolumeMount":{"description":"VolumeMount describes a mounting of a Volume within a container.","type":"object","required":["name","mountPath"],"properties":{"mountPath":{"description":"Path within the container at which the volume should be mounted. Must not contain ':'.","type":"string"},"mountPropagation":{"description":"mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified (which defaults to None).\n\nPossible enum values:\n - `\"Bidirectional\"` means that the volume in a container will receive new mounts from the host or other containers, and its own mounts will be propagated from the container to the host or other containers. Note that this mode is recursively applied to all mounts in the volume (\"rshared\" in Linux terminology).\n - `\"HostToContainer\"` means that the volume in a container will receive new mounts from the host or other containers, but filesystems mounted inside the container won't be propagated to the host or other containers. Note that this mode is recursively applied to all mounts in the volume (\"rslave\" in Linux terminology).\n - `\"None\"` means that the volume in a container will not receive new mounts from the host or other containers, and filesystems mounted inside the container won't be propagated to the host or other containers. Note that this mode corresponds to \"private\" in Linux terminology.","type":"string","enum":["Bidirectional","HostToContainer","None"]},"name":{"description":"This must match the Name of a Volume.","type":"string"},"readOnly":{"description":"Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.","type":"boolean"},"recursiveReadOnly":{"description":"RecursiveReadOnly specifies whether read-only mounts should be handled recursively.\n\nIf ReadOnly is false, this field has no meaning and must be unspecified.\n\nIf ReadOnly is true, and this field is set to Disabled, the mount is not made recursively read-only. If this field is set to IfPossible, the mount is made recursively read-only, if it is supported by the container runtime. If this field is set to Enabled, the mount is made recursively read-only if it is supported by the container runtime, otherwise the pod will not be started and an error will be generated to indicate the reason.\n\nIf this field is set to IfPossible or Enabled, MountPropagation must be set to None (or be unspecified, which defaults to None).\n\nIf this field is not specified, it is treated as an equivalent of Disabled.","type":"string"},"subPath":{"description":"Path within the volume from which the container's volume should be mounted. Defaults to \"\" (volume's root).","type":"string"},"subPathExpr":{"description":"Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to \"\" (volume's root). SubPathExpr and SubPath are mutually exclusive.","type":"string"}}},"io.k8s.api.core.v1.VolumeMountStatus":{"description":"VolumeMountStatus shows status of volume mounts.","type":"object","required":["name","mountPath"],"properties":{"mountPath":{"description":"MountPath corresponds to the original VolumeMount.","type":"string"},"name":{"description":"Name corresponds to the name of the original VolumeMount.","type":"string"},"readOnly":{"description":"ReadOnly corresponds to the original VolumeMount.","type":"boolean"},"recursiveReadOnly":{"description":"RecursiveReadOnly must be set to Disabled, Enabled, or unspecified (for non-readonly mounts). An IfPossible value in the original VolumeMount must be translated to Disabled or Enabled, depending on the mount result.","type":"string"}}},"io.k8s.api.core.v1.VolumeNodeAffinity":{"description":"VolumeNodeAffinity defines constraints that limit what nodes this volume can be accessed from.","type":"object","properties":{"required":{"description":"required specifies hard node constraints that must be met.","$ref":"#/definitions/io.k8s.api.core.v1.NodeSelector"}}},"io.k8s.api.core.v1.VolumeProjection":{"description":"Projection that may be projected along with other supported volume types","type":"object","properties":{"clusterTrustBundle":{"description":"ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field of ClusterTrustBundle objects in an auto-updating file.\n\nAlpha, gated by the ClusterTrustBundleProjection feature gate.\n\nClusterTrustBundle objects can either be selected by name, or by the combination of signer name and a label selector.\n\nKubelet performs aggressive normalization of the PEM contents written into the pod filesystem. Esoteric PEM features such as inter-block comments and block headers are stripped. Certificates are deduplicated. The ordering of certificates within the file is arbitrary, and Kubelet may change the order over time.","$ref":"#/definitions/io.k8s.api.core.v1.ClusterTrustBundleProjection"},"configMap":{"description":"configMap information about the configMap data to project","$ref":"#/definitions/io.k8s.api.core.v1.ConfigMapProjection"},"downwardAPI":{"description":"downwardAPI information about the downwardAPI data to project","$ref":"#/definitions/io.k8s.api.core.v1.DownwardAPIProjection"},"secret":{"description":"secret information about the secret data to project","$ref":"#/definitions/io.k8s.api.core.v1.SecretProjection"},"serviceAccountToken":{"description":"serviceAccountToken is information about the serviceAccountToken data to project","$ref":"#/definitions/io.k8s.api.core.v1.ServiceAccountTokenProjection"}}},"io.k8s.api.core.v1.VolumeResourceRequirements":{"description":"VolumeResourceRequirements describes the storage resource requirements for a volume.","type":"object","properties":{"limits":{"description":"Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}},"requests":{"description":"Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}}}},"io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource":{"description":"Represents a vSphere volume resource.","type":"object","required":["volumePath"],"properties":{"fsType":{"description":"fsType is filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"storagePolicyID":{"description":"storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.","type":"string"},"storagePolicyName":{"description":"storagePolicyName is the storage Policy Based Management (SPBM) profile name.","type":"string"},"volumePath":{"description":"volumePath is the path that identifies vSphere volume vmdk","type":"string"}}},"io.k8s.api.core.v1.WeightedPodAffinityTerm":{"description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)","type":"object","required":["weight","podAffinityTerm"],"properties":{"podAffinityTerm":{"description":"Required. A pod affinity term, associated with the corresponding weight.","$ref":"#/definitions/io.k8s.api.core.v1.PodAffinityTerm"},"weight":{"description":"weight associated with matching the corresponding podAffinityTerm, in the range 1-100.","type":"integer","format":"int32"}}},"io.k8s.api.core.v1.WindowsSecurityContextOptions":{"description":"WindowsSecurityContextOptions contain Windows-specific options and credentials.","type":"object","properties":{"gmsaCredentialSpec":{"description":"GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.","type":"string"},"gmsaCredentialSpecName":{"description":"GMSACredentialSpecName is the name of the GMSA credential spec to use.","type":"string"},"hostProcess":{"description":"HostProcess determines if a container should be run as a 'Host Process' container. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.","type":"boolean"},"runAsUserName":{"description":"The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.","type":"string"}}},"io.k8s.api.discovery.v1.Endpoint":{"description":"Endpoint represents a single logical \"backend\" implementing a service.","type":"object","required":["addresses"],"properties":{"addresses":{"description":"addresses of this endpoint. The contents of this field are interpreted according to the corresponding EndpointSlice addressType field. Consumers must handle different types of addresses in the context of their own capabilities. This must contain at least one address but no more than 100. These are all assumed to be fungible and clients may choose to only use the first element. Refer to: https://issue.k8s.io/106267","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"conditions":{"description":"conditions contains information about the current status of the endpoint.","$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointConditions"},"deprecatedTopology":{"description":"deprecatedTopology contains topology information part of the v1beta1 API. This field is deprecated, and will be removed when the v1beta1 API is removed (no sooner than kubernetes v1.24). While this field can hold values, it is not writable through the v1 API, and any attempts to write to it will be silently ignored. Topology information can be found in the zone and nodeName fields instead.","type":"object","additionalProperties":{"type":"string"}},"hints":{"description":"hints contains information associated with how an endpoint should be consumed.","$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointHints"},"hostname":{"description":"hostname of this endpoint. This field may be used by consumers of endpoints to distinguish endpoints from each other (e.g. in DNS names). Multiple endpoints which use the same hostname should be considered fungible (e.g. multiple A values in DNS). Must be lowercase and pass DNS Label (RFC 1123) validation.","type":"string"},"nodeName":{"description":"nodeName represents the name of the Node hosting this endpoint. This can be used to determine endpoints local to a Node.","type":"string"},"targetRef":{"description":"targetRef is a reference to a Kubernetes object that represents this endpoint.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"},"zone":{"description":"zone is the name of the Zone this endpoint exists in.","type":"string"}}},"io.k8s.api.discovery.v1.EndpointConditions":{"description":"EndpointConditions represents the current condition of an endpoint.","type":"object","properties":{"ready":{"description":"ready indicates that this endpoint is prepared to receive traffic, according to whatever system is managing the endpoint. A nil value indicates an unknown state. In most cases consumers should interpret this unknown state as ready. For compatibility reasons, ready should never be \"true\" for terminating endpoints, except when the normal readiness behavior is being explicitly overridden, for example when the associated Service has set the publishNotReadyAddresses flag.","type":"boolean"},"serving":{"description":"serving is identical to ready except that it is set regardless of the terminating state of endpoints. This condition should be set to true for a ready endpoint that is terminating. If nil, consumers should defer to the ready condition.","type":"boolean"},"terminating":{"description":"terminating indicates that this endpoint is terminating. A nil value indicates an unknown state. Consumers should interpret this unknown state to mean that the endpoint is not terminating.","type":"boolean"}}},"io.k8s.api.discovery.v1.EndpointHints":{"description":"EndpointHints provides hints describing how an endpoint should be consumed.","type":"object","properties":{"forZones":{"description":"forZones indicates the zone(s) this endpoint should be consumed by to enable topology aware routing.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.discovery.v1.ForZone"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.discovery.v1.EndpointPort":{"description":"EndpointPort represents a Port used by an EndpointSlice","type":"object","properties":{"appProtocol":{"description":"The application protocol for this port. This is used as a hint for implementations to offer richer behavior for protocols that they understand. This field follows standard Kubernetes label syntax. Valid values are either:\n\n* Un-prefixed protocol names - reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names).\n\n* Kubernetes-defined prefixed names:\n * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-\n * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455\n * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455\n\n* Other protocols should use implementation-defined prefixed names such as mycompany.com/my-custom-protocol.","type":"string"},"name":{"description":"name represents the name of this port. All ports in an EndpointSlice must have a unique name. If the EndpointSlice is derived from a Kubernetes service, this corresponds to the Service.ports[].name. Name must either be an empty string or pass DNS_LABEL validation: * must be no more than 63 characters long. * must consist of lower case alphanumeric characters or '-'. * must start and end with an alphanumeric character. Default is empty string.","type":"string"},"port":{"description":"port represents the port number of the endpoint. If this is not specified, ports are not restricted and must be interpreted in the context of the specific consumer.","type":"integer","format":"int32"},"protocol":{"description":"protocol represents the IP protocol for this port. Must be UDP, TCP, or SCTP. Default is TCP.\n\nPossible enum values:\n - `\"SCTP\"` is the SCTP protocol.\n - `\"TCP\"` is the TCP protocol.\n - `\"UDP\"` is the UDP protocol.","type":"string","enum":["SCTP","TCP","UDP"]}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.discovery.v1.EndpointSlice":{"description":"EndpointSlice represents a subset of the endpoints that implement a service. For a given service there may be multiple EndpointSlice objects, selected by labels, which must be joined to produce the full set of endpoints.","type":"object","required":["addressType","endpoints"],"properties":{"addressType":{"description":"addressType specifies the type of address carried by this EndpointSlice. All addresses in this slice must be the same type. This field is immutable after creation. The following address types are currently supported: * IPv4: Represents an IPv4 Address. * IPv6: Represents an IPv6 Address. * FQDN: Represents a Fully Qualified Domain Name.\n\nPossible enum values:\n - `\"FQDN\"` represents a FQDN.\n - `\"IPv4\"` represents an IPv4 Address.\n - `\"IPv6\"` represents an IPv6 Address.","type":"string","enum":["FQDN","IPv4","IPv6"]},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"endpoints":{"description":"endpoints is a list of unique endpoints in this slice. Each slice may include a maximum of 1000 endpoints.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.discovery.v1.Endpoint"},"x-kubernetes-list-type":"atomic"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"ports":{"description":"ports specifies the list of network ports exposed by each endpoint in this slice. Each port must have a unique name. When ports is empty, it indicates that there are no defined ports. When a port is defined with a nil port value, it indicates \"all ports\". Each slice may include a maximum of 100 ports.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointPort"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-group-version-kind":[{"group":"discovery.k8s.io","kind":"EndpointSlice","version":"v1"}]},"io.k8s.api.discovery.v1.EndpointSliceList":{"description":"EndpointSliceList represents a list of endpoint slices","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of endpoint slices","type":"array","items":{"$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointSlice"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"discovery.k8s.io","kind":"EndpointSliceList","version":"v1"}]},"io.k8s.api.discovery.v1.ForZone":{"description":"ForZone provides information about which zones should consume this endpoint.","type":"object","required":["name"],"properties":{"name":{"description":"name represents the name of the zone.","type":"string"}}},"io.k8s.api.events.v1.Event":{"description":"Event is a report of an event somewhere in the cluster. It generally denotes some state change in the system. Events have a limited retention time and triggers and messages may evolve with time. Event consumers should not rely on the timing of an event with a given Reason reflecting a consistent underlying trigger, or the continued existence of events with that Reason. Events should be treated as informative, best-effort, supplemental data.","type":"object","required":["eventTime"],"properties":{"action":{"description":"action is what action was taken/failed regarding to the regarding object. It is machine-readable. This field cannot be empty for new Events and it can have at most 128 characters.","type":"string"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"deprecatedCount":{"description":"deprecatedCount is the deprecated field assuring backward compatibility with core.v1 Event type.","type":"integer","format":"int32"},"deprecatedFirstTimestamp":{"description":"deprecatedFirstTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"deprecatedLastTimestamp":{"description":"deprecatedLastTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"deprecatedSource":{"description":"deprecatedSource is the deprecated field assuring backward compatibility with core.v1 Event type.","$ref":"#/definitions/io.k8s.api.core.v1.EventSource"},"eventTime":{"description":"eventTime is the time when this Event was first observed. It is required.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"note":{"description":"note is a human-readable description of the status of this operation. Maximal length of the note is 1kB, but libraries should be prepared to handle values up to 64kB.","type":"string"},"reason":{"description":"reason is why the action was taken. It is human-readable. This field cannot be empty for new Events and it can have at most 128 characters.","type":"string"},"regarding":{"description":"regarding contains the object this Event is about. In most cases it's an Object reporting controller implements, e.g. ReplicaSetController implements ReplicaSets and this event is emitted because it acts on some changes in a ReplicaSet object.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"},"related":{"description":"related is the optional secondary object for more complex actions. E.g. when regarding object triggers a creation or deletion of related object.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"},"reportingController":{"description":"reportingController is the name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`. This field cannot be empty for new Events.","type":"string"},"reportingInstance":{"description":"reportingInstance is the ID of the controller instance, e.g. `kubelet-xyzf`. This field cannot be empty for new Events and it can have at most 128 characters.","type":"string"},"series":{"description":"series is data about the Event series this event represents or nil if it's a singleton Event.","$ref":"#/definitions/io.k8s.api.events.v1.EventSeries"},"type":{"description":"type is the type of this event (Normal, Warning), new types could be added in the future. It is machine-readable. This field cannot be empty for new Events.","type":"string"}},"x-kubernetes-group-version-kind":[{"group":"events.k8s.io","kind":"Event","version":"v1"}]},"io.k8s.api.events.v1.EventList":{"description":"EventList is a list of Event objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is a list of schema objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.events.v1.Event"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"events.k8s.io","kind":"EventList","version":"v1"}]},"io.k8s.api.events.v1.EventSeries":{"description":"EventSeries contain information on series of events, i.e. thing that was/is happening continuously for some time. How often to update the EventSeries is up to the event reporters. The default event reporter in \"k8s.io/client-go/tools/events/event_broadcaster.go\" shows how this struct is updated on heartbeats and can guide customized reporter implementations.","type":"object","required":["count","lastObservedTime"],"properties":{"count":{"description":"count is the number of occurrences in this series up to the last heartbeat time.","type":"integer","format":"int32"},"lastObservedTime":{"description":"lastObservedTime is the time when last Event from the series was seen before last heartbeat.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"}}},"io.k8s.api.flowcontrol.v1.ExemptPriorityLevelConfiguration":{"description":"ExemptPriorityLevelConfiguration describes the configurable aspects of the handling of exempt requests. In the mandatory exempt configuration object the values in the fields here can be modified by authorized users, unlike the rest of the `spec`.","type":"object","properties":{"lendablePercent":{"description":"`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. This value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )","type":"integer","format":"int32"},"nominalConcurrencyShares":{"description":"`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats nominally reserved for this priority level. This DOES NOT limit the dispatching from this priority level but affects the other priority levels through the borrowing mechanism. The server's concurrency limit (ServerCL) is divided among all the priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of zero.","type":"integer","format":"int32"}}},"io.k8s.api.flowcontrol.v1.FlowDistinguisherMethod":{"description":"FlowDistinguisherMethod specifies the method of a flow distinguisher.","type":"object","required":["type"],"properties":{"type":{"description":"`type` is the type of flow distinguisher method The supported types are \"ByUser\" and \"ByNamespace\". Required.","type":"string"}}},"io.k8s.api.flowcontrol.v1.FlowSchema":{"description":"FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with similar attributes and is identified by a pair of strings: the name of the FlowSchema and a \"flow distinguisher\".","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"`spec` is the specification of the desired behavior of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchemaSpec"},"status":{"description":"`status` is the current status of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchemaStatus"}},"x-kubernetes-group-version-kind":[{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1"}]},"io.k8s.api.flowcontrol.v1.FlowSchemaCondition":{"description":"FlowSchemaCondition describes conditions for a FlowSchema.","type":"object","properties":{"lastTransitionTime":{"description":"`lastTransitionTime` is the last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"`message` is a human-readable message indicating details about last transition.","type":"string"},"reason":{"description":"`reason` is a unique, one-word, CamelCase reason for the condition's last transition.","type":"string"},"status":{"description":"`status` is the status of the condition. Can be True, False, Unknown. Required.","type":"string"},"type":{"description":"`type` is the type of the condition. Required.","type":"string"}}},"io.k8s.api.flowcontrol.v1.FlowSchemaList":{"description":"FlowSchemaList is a list of FlowSchema objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"`items` is a list of FlowSchemas.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchema"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"`metadata` is the standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchemaList","version":"v1"}]},"io.k8s.api.flowcontrol.v1.FlowSchemaSpec":{"description":"FlowSchemaSpec describes how the FlowSchema's specification looks like.","type":"object","required":["priorityLevelConfiguration"],"properties":{"distinguisherMethod":{"description":"`distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema. `nil` specifies that the distinguisher is disabled and thus will always be the empty string.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowDistinguisherMethod"},"matchingPrecedence":{"description":"`matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen FlowSchema is among those with the numerically lowest (which we take to be logically highest) MatchingPrecedence. Each MatchingPrecedence value must be ranged in [1,10000]. Note that if the precedence is not specified, it will be set to 1000 as default.","type":"integer","format":"int32"},"priorityLevelConfiguration":{"description":"`priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot be resolved, the FlowSchema will be ignored and marked as invalid in its status. Required.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationReference"},"rules":{"description":"`rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PolicyRulesWithSubjects"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.flowcontrol.v1.FlowSchemaStatus":{"description":"FlowSchemaStatus represents the current state of a FlowSchema.","type":"object","properties":{"conditions":{"description":"`conditions` is a list of the current states of FlowSchema.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchemaCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"}}},"io.k8s.api.flowcontrol.v1.GroupSubject":{"description":"GroupSubject holds detailed information for group-kind subject.","type":"object","required":["name"],"properties":{"name":{"description":"name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.","type":"string"}}},"io.k8s.api.flowcontrol.v1.LimitResponse":{"description":"LimitResponse defines how to handle requests that can not be executed right now.","type":"object","required":["type"],"properties":{"queuing":{"description":"`queuing` holds the configuration parameters for queuing. This field may be non-empty only if `type` is `\"Queue\"`.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.QueuingConfiguration"},"type":{"description":"`type` is \"Queue\" or \"Reject\". \"Queue\" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. \"Reject\" means that requests that can not be executed upon arrival are rejected. Required.","type":"string"}},"x-kubernetes-unions":[{"discriminator":"type","fields-to-discriminateBy":{"queuing":"Queuing"}}]},"io.k8s.api.flowcontrol.v1.LimitedPriorityLevelConfiguration":{"description":"LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:\n - How are requests for this priority level limited?\n - What should be done with requests that exceed the limit?","type":"object","properties":{"borrowingLimitPercent":{"description":"`borrowingLimitPercent`, if present, configures a limit on how many seats this priority level can borrow from other priority levels. The limit is known as this level's BorrowingConcurrencyLimit (BorrowingCL) and is a limit on the total number of seats that this level may borrow at any one time. This field holds the ratio of that limit to the level's nominal concurrency limit. When this field is non-nil, it must hold a non-negative integer and the limit is calculated as follows.\n\nBorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )\n\nThe value of this field can be more than 100, implying that this priority level can borrow a number of seats that is greater than its own nominal concurrency limit (NominalCL). When this field is left `nil`, the limit is effectively infinite.","type":"integer","format":"int32"},"lendablePercent":{"description":"`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. The value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )","type":"integer","format":"int32"},"limitResponse":{"description":"`limitResponse` indicates what to do with requests that can not be executed right now","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.LimitResponse"},"nominalConcurrencyShares":{"description":"`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level.\n\nIf not specified, this field defaults to a value of 30.\n\nSetting this field to zero supports the construction of a \"jail\" for this priority level that is used to hold some request(s)","type":"integer","format":"int32"}}},"io.k8s.api.flowcontrol.v1.NonResourcePolicyRule":{"description":"NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.","type":"object","required":["verbs","nonResourceURLs"],"properties":{"nonResourceURLs":{"description":"`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n - \"/healthz\" is legal\n - \"/hea*\" is illegal\n - \"/hea\" is legal but matches nothing\n - \"/hea/*\" also matches nothing\n - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"verbs":{"description":"`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"}}},"io.k8s.api.flowcontrol.v1.PolicyRulesWithSubjects":{"description":"PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.","type":"object","required":["subjects"],"properties":{"nonResourceRules":{"description":"`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.NonResourcePolicyRule"},"x-kubernetes-list-type":"atomic"},"resourceRules":{"description":"`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.ResourcePolicyRule"},"x-kubernetes-list-type":"atomic"},"subjects":{"description":"subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.Subject"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration":{"description":"PriorityLevelConfiguration represents the configuration of a priority level.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"`spec` is the specification of the desired behavior of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationSpec"},"status":{"description":"`status` is the current status of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationStatus"}},"x-kubernetes-group-version-kind":[{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1"}]},"io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationCondition":{"description":"PriorityLevelConfigurationCondition defines the condition of priority level.","type":"object","properties":{"lastTransitionTime":{"description":"`lastTransitionTime` is the last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"`message` is a human-readable message indicating details about last transition.","type":"string"},"reason":{"description":"`reason` is a unique, one-word, CamelCase reason for the condition's last transition.","type":"string"},"status":{"description":"`status` is the status of the condition. Can be True, False, Unknown. Required.","type":"string"},"type":{"description":"`type` is the type of the condition. Required.","type":"string"}}},"io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationList":{"description":"PriorityLevelConfigurationList is a list of PriorityLevelConfiguration objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"`items` is a list of request-priorities.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfigurationList","version":"v1"}]},"io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationReference":{"description":"PriorityLevelConfigurationReference contains information that points to the \"request-priority\" being used.","type":"object","required":["name"],"properties":{"name":{"description":"`name` is the name of the priority level configuration being referenced Required.","type":"string"}}},"io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationSpec":{"description":"PriorityLevelConfigurationSpec specifies the configuration of a priority level.","type":"object","required":["type"],"properties":{"exempt":{"description":"`exempt` specifies how requests are handled for an exempt priority level. This field MUST be empty if `type` is `\"Limited\"`. This field MAY be non-empty if `type` is `\"Exempt\"`. If empty and `type` is `\"Exempt\"` then the default values for `ExemptPriorityLevelConfiguration` apply.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.ExemptPriorityLevelConfiguration"},"limited":{"description":"`limited` specifies how requests are handled for a Limited priority level. This field must be non-empty if and only if `type` is `\"Limited\"`.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.LimitedPriorityLevelConfiguration"},"type":{"description":"`type` indicates whether this priority level is subject to limitation on request execution. A value of `\"Exempt\"` means that requests of this priority level are not subject to a limit (and thus are never queued) and do not detract from the capacity made available to other priority levels. A value of `\"Limited\"` means that (a) requests of this priority level _are_ subject to limits and (b) some of the server's limited capacity is made available exclusively to this priority level. Required.","type":"string"}},"x-kubernetes-unions":[{"discriminator":"type","fields-to-discriminateBy":{"exempt":"Exempt","limited":"Limited"}}]},"io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationStatus":{"description":"PriorityLevelConfigurationStatus represents the current state of a \"request-priority\".","type":"object","properties":{"conditions":{"description":"`conditions` is the current state of \"request-priority\".","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"}}},"io.k8s.api.flowcontrol.v1.QueuingConfiguration":{"description":"QueuingConfiguration holds the configuration parameters for queuing","type":"object","properties":{"handSize":{"description":"`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.","type":"integer","format":"int32"},"queueLengthLimit":{"description":"`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.","type":"integer","format":"int32"},"queues":{"description":"`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.","type":"integer","format":"int32"}}},"io.k8s.api.flowcontrol.v1.ResourcePolicyRule":{"description":"ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., `Namespace==\"\"`) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.","type":"object","required":["verbs","apiGroups","resources"],"properties":{"apiGroups":{"description":"`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"clusterScope":{"description":"`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.","type":"boolean"},"namespaces":{"description":"`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\". Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"resources":{"description":"`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"verbs":{"description":"`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"}}},"io.k8s.api.flowcontrol.v1.ServiceAccountSubject":{"description":"ServiceAccountSubject holds detailed information for service-account-kind subject.","type":"object","required":["namespace","name"],"properties":{"name":{"description":"`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.","type":"string"},"namespace":{"description":"`namespace` is the namespace of matching ServiceAccount objects. Required.","type":"string"}}},"io.k8s.api.flowcontrol.v1.Subject":{"description":"Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.","type":"object","required":["kind"],"properties":{"group":{"description":"`group` matches based on user group name.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.GroupSubject"},"kind":{"description":"`kind` indicates which one of the other fields is non-empty. Required","type":"string"},"serviceAccount":{"description":"`serviceAccount` matches ServiceAccounts.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.ServiceAccountSubject"},"user":{"description":"`user` matches based on username.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.UserSubject"}},"x-kubernetes-unions":[{"discriminator":"kind","fields-to-discriminateBy":{"group":"Group","serviceAccount":"ServiceAccount","user":"User"}}]},"io.k8s.api.flowcontrol.v1.UserSubject":{"description":"UserSubject holds detailed information for user-kind subject.","type":"object","required":["name"],"properties":{"name":{"description":"`name` is the username that matches, or \"*\" to match all usernames. Required.","type":"string"}}},"io.k8s.api.flowcontrol.v1beta3.ExemptPriorityLevelConfiguration":{"description":"ExemptPriorityLevelConfiguration describes the configurable aspects of the handling of exempt requests. In the mandatory exempt configuration object the values in the fields here can be modified by authorized users, unlike the rest of the `spec`.","type":"object","properties":{"lendablePercent":{"description":"`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. This value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )","type":"integer","format":"int32"},"nominalConcurrencyShares":{"description":"`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats nominally reserved for this priority level. This DOES NOT limit the dispatching from this priority level but affects the other priority levels through the borrowing mechanism. The server's concurrency limit (ServerCL) is divided among all the priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of zero.","type":"integer","format":"int32"}}},"io.k8s.api.flowcontrol.v1beta3.FlowDistinguisherMethod":{"description":"FlowDistinguisherMethod specifies the method of a flow distinguisher.","type":"object","required":["type"],"properties":{"type":{"description":"`type` is the type of flow distinguisher method The supported types are \"ByUser\" and \"ByNamespace\". Required.","type":"string"}}},"io.k8s.api.flowcontrol.v1beta3.FlowSchema":{"description":"FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with similar attributes and is identified by a pair of strings: the name of the FlowSchema and a \"flow distinguisher\".","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"`spec` is the specification of the desired behavior of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaSpec"},"status":{"description":"`status` is the current status of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaStatus"}},"x-kubernetes-group-version-kind":[{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchema","version":"v1beta3"}]},"io.k8s.api.flowcontrol.v1beta3.FlowSchemaCondition":{"description":"FlowSchemaCondition describes conditions for a FlowSchema.","type":"object","properties":{"lastTransitionTime":{"description":"`lastTransitionTime` is the last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"`message` is a human-readable message indicating details about last transition.","type":"string"},"reason":{"description":"`reason` is a unique, one-word, CamelCase reason for the condition's last transition.","type":"string"},"status":{"description":"`status` is the status of the condition. Can be True, False, Unknown. Required.","type":"string"},"type":{"description":"`type` is the type of the condition. Required.","type":"string"}}},"io.k8s.api.flowcontrol.v1beta3.FlowSchemaList":{"description":"FlowSchemaList is a list of FlowSchema objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"`items` is a list of FlowSchemas.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"`metadata` is the standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"flowcontrol.apiserver.k8s.io","kind":"FlowSchemaList","version":"v1beta3"}]},"io.k8s.api.flowcontrol.v1beta3.FlowSchemaSpec":{"description":"FlowSchemaSpec describes how the FlowSchema's specification looks like.","type":"object","required":["priorityLevelConfiguration"],"properties":{"distinguisherMethod":{"description":"`distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema. `nil` specifies that the distinguisher is disabled and thus will always be the empty string.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowDistinguisherMethod"},"matchingPrecedence":{"description":"`matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen FlowSchema is among those with the numerically lowest (which we take to be logically highest) MatchingPrecedence. Each MatchingPrecedence value must be ranged in [1,10000]. Note that if the precedence is not specified, it will be set to 1000 as default.","type":"integer","format":"int32"},"priorityLevelConfiguration":{"description":"`priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot be resolved, the FlowSchema will be ignored and marked as invalid in its status. Required.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationReference"},"rules":{"description":"`rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PolicyRulesWithSubjects"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.flowcontrol.v1beta3.FlowSchemaStatus":{"description":"FlowSchemaStatus represents the current state of a FlowSchema.","type":"object","properties":{"conditions":{"description":"`conditions` is a list of the current states of FlowSchema.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"}}},"io.k8s.api.flowcontrol.v1beta3.GroupSubject":{"description":"GroupSubject holds detailed information for group-kind subject.","type":"object","required":["name"],"properties":{"name":{"description":"name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.","type":"string"}}},"io.k8s.api.flowcontrol.v1beta3.LimitResponse":{"description":"LimitResponse defines how to handle requests that can not be executed right now.","type":"object","required":["type"],"properties":{"queuing":{"description":"`queuing` holds the configuration parameters for queuing. This field may be non-empty only if `type` is `\"Queue\"`.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.QueuingConfiguration"},"type":{"description":"`type` is \"Queue\" or \"Reject\". \"Queue\" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. \"Reject\" means that requests that can not be executed upon arrival are rejected. Required.","type":"string"}},"x-kubernetes-unions":[{"discriminator":"type","fields-to-discriminateBy":{"queuing":"Queuing"}}]},"io.k8s.api.flowcontrol.v1beta3.LimitedPriorityLevelConfiguration":{"description":"LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:\n - How are requests for this priority level limited?\n - What should be done with requests that exceed the limit?","type":"object","properties":{"borrowingLimitPercent":{"description":"`borrowingLimitPercent`, if present, configures a limit on how many seats this priority level can borrow from other priority levels. The limit is known as this level's BorrowingConcurrencyLimit (BorrowingCL) and is a limit on the total number of seats that this level may borrow at any one time. This field holds the ratio of that limit to the level's nominal concurrency limit. When this field is non-nil, it must hold a non-negative integer and the limit is calculated as follows.\n\nBorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )\n\nThe value of this field can be more than 100, implying that this priority level can borrow a number of seats that is greater than its own nominal concurrency limit (NominalCL). When this field is left `nil`, the limit is effectively infinite.","type":"integer","format":"int32"},"lendablePercent":{"description":"`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. The value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )","type":"integer","format":"int32"},"limitResponse":{"description":"`limitResponse` indicates what to do with requests that can not be executed right now","$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitResponse"},"nominalConcurrencyShares":{"description":"`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.","type":"integer","format":"int32"}}},"io.k8s.api.flowcontrol.v1beta3.NonResourcePolicyRule":{"description":"NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.","type":"object","required":["verbs","nonResourceURLs"],"properties":{"nonResourceURLs":{"description":"`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n - \"/healthz\" is legal\n - \"/hea*\" is illegal\n - \"/hea\" is legal but matches nothing\n - \"/hea/*\" also matches nothing\n - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"verbs":{"description":"`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"}}},"io.k8s.api.flowcontrol.v1beta3.PolicyRulesWithSubjects":{"description":"PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.","type":"object","required":["subjects"],"properties":{"nonResourceRules":{"description":"`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.NonResourcePolicyRule"},"x-kubernetes-list-type":"atomic"},"resourceRules":{"description":"`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.ResourcePolicyRule"},"x-kubernetes-list-type":"atomic"},"subjects":{"description":"subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.Subject"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration":{"description":"PriorityLevelConfiguration represents the configuration of a priority level.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"`spec` is the specification of the desired behavior of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationSpec"},"status":{"description":"`status` is the current status of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationStatus"}},"x-kubernetes-group-version-kind":[{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfiguration","version":"v1beta3"}]},"io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationCondition":{"description":"PriorityLevelConfigurationCondition defines the condition of priority level.","type":"object","properties":{"lastTransitionTime":{"description":"`lastTransitionTime` is the last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"`message` is a human-readable message indicating details about last transition.","type":"string"},"reason":{"description":"`reason` is a unique, one-word, CamelCase reason for the condition's last transition.","type":"string"},"status":{"description":"`status` is the status of the condition. Can be True, False, Unknown. Required.","type":"string"},"type":{"description":"`type` is the type of the condition. Required.","type":"string"}}},"io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationList":{"description":"PriorityLevelConfigurationList is a list of PriorityLevelConfiguration objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"`items` is a list of request-priorities.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"flowcontrol.apiserver.k8s.io","kind":"PriorityLevelConfigurationList","version":"v1beta3"}]},"io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationReference":{"description":"PriorityLevelConfigurationReference contains information that points to the \"request-priority\" being used.","type":"object","required":["name"],"properties":{"name":{"description":"`name` is the name of the priority level configuration being referenced Required.","type":"string"}}},"io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationSpec":{"description":"PriorityLevelConfigurationSpec specifies the configuration of a priority level.","type":"object","required":["type"],"properties":{"exempt":{"description":"`exempt` specifies how requests are handled for an exempt priority level. This field MUST be empty if `type` is `\"Limited\"`. This field MAY be non-empty if `type` is `\"Exempt\"`. If empty and `type` is `\"Exempt\"` then the default values for `ExemptPriorityLevelConfiguration` apply.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.ExemptPriorityLevelConfiguration"},"limited":{"description":"`limited` specifies how requests are handled for a Limited priority level. This field must be non-empty if and only if `type` is `\"Limited\"`.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitedPriorityLevelConfiguration"},"type":{"description":"`type` indicates whether this priority level is subject to limitation on request execution. A value of `\"Exempt\"` means that requests of this priority level are not subject to a limit (and thus are never queued) and do not detract from the capacity made available to other priority levels. A value of `\"Limited\"` means that (a) requests of this priority level _are_ subject to limits and (b) some of the server's limited capacity is made available exclusively to this priority level. Required.","type":"string"}},"x-kubernetes-unions":[{"discriminator":"type","fields-to-discriminateBy":{"exempt":"Exempt","limited":"Limited"}}]},"io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationStatus":{"description":"PriorityLevelConfigurationStatus represents the current state of a \"request-priority\".","type":"object","properties":{"conditions":{"description":"`conditions` is the current state of \"request-priority\".","type":"array","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"}}},"io.k8s.api.flowcontrol.v1beta3.QueuingConfiguration":{"description":"QueuingConfiguration holds the configuration parameters for queuing","type":"object","properties":{"handSize":{"description":"`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.","type":"integer","format":"int32"},"queueLengthLimit":{"description":"`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.","type":"integer","format":"int32"},"queues":{"description":"`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.","type":"integer","format":"int32"}}},"io.k8s.api.flowcontrol.v1beta3.ResourcePolicyRule":{"description":"ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., `Namespace==\"\"`) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.","type":"object","required":["verbs","apiGroups","resources"],"properties":{"apiGroups":{"description":"`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"clusterScope":{"description":"`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.","type":"boolean"},"namespaces":{"description":"`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\". Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"resources":{"description":"`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"},"verbs":{"description":"`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"}}},"io.k8s.api.flowcontrol.v1beta3.ServiceAccountSubject":{"description":"ServiceAccountSubject holds detailed information for service-account-kind subject.","type":"object","required":["namespace","name"],"properties":{"name":{"description":"`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.","type":"string"},"namespace":{"description":"`namespace` is the namespace of matching ServiceAccount objects. Required.","type":"string"}}},"io.k8s.api.flowcontrol.v1beta3.Subject":{"description":"Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.","type":"object","required":["kind"],"properties":{"group":{"description":"`group` matches based on user group name.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.GroupSubject"},"kind":{"description":"`kind` indicates which one of the other fields is non-empty. Required","type":"string"},"serviceAccount":{"description":"`serviceAccount` matches ServiceAccounts.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.ServiceAccountSubject"},"user":{"description":"`user` matches based on username.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1beta3.UserSubject"}},"x-kubernetes-unions":[{"discriminator":"kind","fields-to-discriminateBy":{"group":"Group","serviceAccount":"ServiceAccount","user":"User"}}]},"io.k8s.api.flowcontrol.v1beta3.UserSubject":{"description":"UserSubject holds detailed information for user-kind subject.","type":"object","required":["name"],"properties":{"name":{"description":"`name` is the username that matches, or \"*\" to match all usernames. Required.","type":"string"}}},"io.k8s.api.networking.v1.HTTPIngressPath":{"description":"HTTPIngressPath associates a path with a backend. Incoming urls matching the path are forwarded to the backend.","type":"object","required":["pathType","backend"],"properties":{"backend":{"description":"backend defines the referenced service endpoint to which the traffic will be forwarded to.","$ref":"#/definitions/io.k8s.api.networking.v1.IngressBackend"},"path":{"description":"path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/' and must be present when using PathType with value \"Exact\" or \"Prefix\".","type":"string"},"pathType":{"description":"pathType determines the interpretation of the path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is\n done on a path element by element basis. A path element refers is the\n list of labels in the path split by the '/' separator. A request is a\n match for path p if every p is an element-wise prefix of p of the\n request path. Note that if the last element of the path is a substring\n of the last element in request path, it is not a match (e.g. /foo/bar\n matches /foo/bar/baz, but does not match /foo/barbaz).\n* ImplementationSpecific: Interpretation of the Path matching is up to\n the IngressClass. Implementations can treat this as a separate PathType\n or treat it identically to Prefix or Exact path types.\nImplementations are required to support all path types.\n\nPossible enum values:\n - `\"Exact\"` matches the URL path exactly and with case sensitivity.\n - `\"ImplementationSpecific\"` matching is up to the IngressClass. Implementations can treat this as a separate PathType or treat it identically to Prefix or Exact path types.\n - `\"Prefix\"` matches based on a URL path prefix split by '/'. Matching is case sensitive and done on a path element by element basis. A path element refers to the list of labels in the path split by the '/' separator. A request is a match for path p if every p is an element-wise prefix of p of the request path. Note that if the last element of the path is a substring of the last element in request path, it is not a match (e.g. /foo/bar matches /foo/bar/baz, but does not match /foo/barbaz). If multiple matching paths exist in an Ingress spec, the longest matching path is given priority. Examples: - /foo/bar does not match requests to /foo/barbaz - /foo/bar matches request to /foo/bar and /foo/bar/baz - /foo and /foo/ both match requests to /foo and /foo/. If both paths are present in an Ingress spec, the longest matching path (/foo/) is given priority.","type":"string","enum":["Exact","ImplementationSpecific","Prefix"]}}},"io.k8s.api.networking.v1.HTTPIngressRuleValue":{"description":"HTTPIngressRuleValue is a list of http selectors pointing to backends. In the example: http:///? -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'.","type":"object","required":["paths"],"properties":{"paths":{"description":"paths is a collection of paths that map requests to backends.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.HTTPIngressPath"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.networking.v1.IPBlock":{"description":"IPBlock describes a particular CIDR (Ex. \"192.168.1.0/24\",\"2001:db8::/64\") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.","type":"object","required":["cidr"],"properties":{"cidr":{"description":"cidr is a string representing the IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\"","type":"string"},"except":{"description":"except is a slice of CIDRs that should not be included within an IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\" Except values will be rejected if they are outside the cidr range","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.networking.v1.Ingress":{"description":"Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.networking.v1.IngressSpec"},"status":{"description":"status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.networking.v1.IngressStatus"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"Ingress","version":"v1"}]},"io.k8s.api.networking.v1.IngressBackend":{"description":"IngressBackend describes all endpoints for a given service and port.","type":"object","properties":{"resource":{"description":"resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a service.Name and service.Port must not be specified. This is a mutually exclusive setting with \"Service\".","$ref":"#/definitions/io.k8s.api.core.v1.TypedLocalObjectReference"},"service":{"description":"service references a service as a backend. This is a mutually exclusive setting with \"Resource\".","$ref":"#/definitions/io.k8s.api.networking.v1.IngressServiceBackend"}}},"io.k8s.api.networking.v1.IngressClass":{"description":"IngressClass represents the class of the Ingress, referenced by the Ingress Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be used to indicate that an IngressClass should be considered default. When a single IngressClass resource has this annotation set to true, new Ingress resources without a class specified will be assigned this default class.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","$ref":"#/definitions/io.k8s.api.networking.v1.IngressClassSpec"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"IngressClass","version":"v1"}]},"io.k8s.api.networking.v1.IngressClassList":{"description":"IngressClassList is a collection of IngressClasses.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of IngressClasses.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressClass"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"IngressClassList","version":"v1"}]},"io.k8s.api.networking.v1.IngressClassParametersReference":{"description":"IngressClassParametersReference identifies an API object. This can be used to specify a cluster or namespace-scoped resource.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"apiGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.","type":"string"},"kind":{"description":"kind is the type of resource being referenced.","type":"string"},"name":{"description":"name is the name of resource being referenced.","type":"string"},"namespace":{"description":"namespace is the namespace of the resource being referenced. This field is required when scope is set to \"Namespace\" and must be unset when scope is set to \"Cluster\".","type":"string"},"scope":{"description":"scope represents if this refers to a cluster or namespace scoped resource. This may be set to \"Cluster\" (default) or \"Namespace\".","type":"string"}}},"io.k8s.api.networking.v1.IngressClassSpec":{"description":"IngressClassSpec provides information about the class of an Ingress.","type":"object","properties":{"controller":{"description":"controller refers to the name of the controller that should handle this class. This allows for different \"flavors\" that are controlled by the same controller. For example, you may have different parameters for the same implementing controller. This should be specified as a domain-prefixed path no more than 250 characters in length, e.g. \"acme.io/ingress-controller\". This field is immutable.","type":"string"},"parameters":{"description":"parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters.","$ref":"#/definitions/io.k8s.api.networking.v1.IngressClassParametersReference"}}},"io.k8s.api.networking.v1.IngressList":{"description":"IngressList is a collection of Ingress.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of Ingress.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.Ingress"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"IngressList","version":"v1"}]},"io.k8s.api.networking.v1.IngressLoadBalancerIngress":{"description":"IngressLoadBalancerIngress represents the status of a load-balancer ingress point.","type":"object","properties":{"hostname":{"description":"hostname is set for load-balancer ingress points that are DNS based.","type":"string"},"ip":{"description":"ip is set for load-balancer ingress points that are IP based.","type":"string"},"ports":{"description":"ports provides information about the ports exposed by this LoadBalancer.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressPortStatus"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.networking.v1.IngressLoadBalancerStatus":{"description":"IngressLoadBalancerStatus represents the status of a load-balancer.","type":"object","properties":{"ingress":{"description":"ingress is a list containing ingress points for the load-balancer.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerIngress"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.networking.v1.IngressPortStatus":{"description":"IngressPortStatus represents the error condition of a service port","type":"object","required":["port","protocol"],"properties":{"error":{"description":"error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use\n CamelCase names\n- cloud provider specific error values must have names that comply with the\n format foo.example.com/CamelCase.","type":"string"},"port":{"description":"port is the port number of the ingress port.","type":"integer","format":"int32"},"protocol":{"description":"protocol is the protocol of the ingress port. The supported values are: \"TCP\", \"UDP\", \"SCTP\"\n\nPossible enum values:\n - `\"SCTP\"` is the SCTP protocol.\n - `\"TCP\"` is the TCP protocol.\n - `\"UDP\"` is the UDP protocol.","type":"string","enum":["SCTP","TCP","UDP"]}}},"io.k8s.api.networking.v1.IngressRule":{"description":"IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.","type":"object","properties":{"host":{"description":"host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to\n the IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t Currently the port of an Ingress is implicitly :80 for http and\n\t :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.\n\nhost can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.bar.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. \"*.foo.com\"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == \"*\"). Requests will be matched against the Host field in the following way: 1. If host is precise, the request matches this rule if the http host header is equal to Host. 2. If host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.","type":"string"},"http":{"$ref":"#/definitions/io.k8s.api.networking.v1.HTTPIngressRuleValue"}}},"io.k8s.api.networking.v1.IngressServiceBackend":{"description":"IngressServiceBackend references a Kubernetes Service as a Backend.","type":"object","required":["name"],"properties":{"name":{"description":"name is the referenced service. The service must exist in the same namespace as the Ingress object.","type":"string"},"port":{"description":"port of the referenced service. A port name or port number is required for a IngressServiceBackend.","$ref":"#/definitions/io.k8s.api.networking.v1.ServiceBackendPort"}}},"io.k8s.api.networking.v1.IngressSpec":{"description":"IngressSpec describes the Ingress the user wishes to exist.","type":"object","properties":{"defaultBackend":{"description":"defaultBackend is the backend that should handle requests that don't match any rule. If Rules are not specified, DefaultBackend must be specified. If DefaultBackend is not set, the handling of requests that do not match any of the rules will be up to the Ingress controller.","$ref":"#/definitions/io.k8s.api.networking.v1.IngressBackend"},"ingressClassName":{"description":"ingressClassName is the name of an IngressClass cluster resource. Ingress controller implementations use this field to know whether they should be serving this Ingress resource, by a transitive connection (controller -> IngressClass -> Ingress resource). Although the `kubernetes.io/ingress.class` annotation (simple constant name) was never formally defined, it was widely supported by Ingress controllers to create a direct binding between Ingress controller and Ingress resources. Newly created Ingress resources should prefer using the field. However, even though the annotation is officially deprecated, for backwards compatibility reasons, ingress controllers should still honor that annotation if present.","type":"string"},"rules":{"description":"rules is a list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressRule"},"x-kubernetes-list-type":"atomic"},"tls":{"description":"tls represents the TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressTLS"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.networking.v1.IngressStatus":{"description":"IngressStatus describe the current state of the Ingress.","type":"object","properties":{"loadBalancer":{"description":"loadBalancer contains the current status of the load-balancer.","$ref":"#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerStatus"}}},"io.k8s.api.networking.v1.IngressTLS":{"description":"IngressTLS describes the transport layer security associated with an ingress.","type":"object","properties":{"hosts":{"description":"hosts is a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"secretName":{"description":"secretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the \"Host\" header field used by an IngressRule, the SNI host is used for termination and value of the \"Host\" header is used for routing.","type":"string"}}},"io.k8s.api.networking.v1.NetworkPolicy":{"description":"NetworkPolicy describes what network traffic is allowed for a set of Pods","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec represents the specification of the desired behavior for this NetworkPolicy.","$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"NetworkPolicy","version":"v1"}]},"io.k8s.api.networking.v1.NetworkPolicyEgressRule":{"description":"NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8","type":"object","properties":{"ports":{"description":"ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort"},"x-kubernetes-list-type":"atomic"},"to":{"description":"to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.networking.v1.NetworkPolicyIngressRule":{"description":"NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.","type":"object","properties":{"from":{"description":"from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer"},"x-kubernetes-list-type":"atomic"},"ports":{"description":"ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.networking.v1.NetworkPolicyList":{"description":"NetworkPolicyList is a list of NetworkPolicy objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is a list of schema objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"NetworkPolicyList","version":"v1"}]},"io.k8s.api.networking.v1.NetworkPolicyPeer":{"description":"NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed","type":"object","properties":{"ipBlock":{"description":"ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.","$ref":"#/definitions/io.k8s.api.networking.v1.IPBlock"},"namespaceSelector":{"description":"namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.\n\nIf podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"podSelector":{"description":"podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.\n\nIf namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"}}},"io.k8s.api.networking.v1.NetworkPolicyPort":{"description":"NetworkPolicyPort describes a port to allow traffic on","type":"object","properties":{"endPort":{"description":"endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.","type":"integer","format":"int32"},"port":{"description":"port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"},"protocol":{"description":"protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n\nPossible enum values:\n - `\"SCTP\"` is the SCTP protocol.\n - `\"TCP\"` is the TCP protocol.\n - `\"UDP\"` is the UDP protocol.","type":"string","enum":["SCTP","TCP","UDP"]}}},"io.k8s.api.networking.v1.NetworkPolicySpec":{"description":"NetworkPolicySpec provides the specification of a NetworkPolicy","type":"object","required":["podSelector"],"properties":{"egress":{"description":"egress is a list of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicyEgressRule"},"x-kubernetes-list-type":"atomic"},"ingress":{"description":"ingress is a list of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)","type":"array","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicyIngressRule"},"x-kubernetes-list-type":"atomic"},"podSelector":{"description":"podSelector selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"policyTypes":{"description":"policyTypes is a list of rule types that the NetworkPolicy relates to. Valid options are [\"Ingress\"], [\"Egress\"], or [\"Ingress\", \"Egress\"]. If this field is not specified, it will default based on the existence of ingress or egress rules; policies that contain an egress section are assumed to affect egress, and all policies (whether or not they contain an ingress section) are assumed to affect ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8","type":"array","items":{"type":"string","enum":["Egress","Ingress"]},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.networking.v1.ServiceBackendPort":{"description":"ServiceBackendPort is the service port being referenced.","type":"object","properties":{"name":{"description":"name is the name of the port on the Service. This is a mutually exclusive setting with \"Number\".","type":"string"},"number":{"description":"number is the numerical port number (e.g. 80) on the Service. This is a mutually exclusive setting with \"Name\".","type":"integer","format":"int32"}}},"io.k8s.api.node.v1.Overhead":{"description":"Overhead structure represents the resource overhead associated with running a pod.","type":"object","properties":{"podFixed":{"description":"podFixed represents the fixed resource overhead associated with running a pod.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}}}},"io.k8s.api.node.v1.RuntimeClass":{"description":"RuntimeClass defines a class of container runtime supported in the cluster. The RuntimeClass is used to determine which container runtime is used to run all containers in a pod. RuntimeClasses are manually defined by a user or cluster provisioner, and referenced in the PodSpec. The Kubelet is responsible for resolving the RuntimeClassName reference before running the pod. For more details, see https://kubernetes.io/docs/concepts/containers/runtime-class/","type":"object","required":["handler"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"handler":{"description":"handler specifies the underlying runtime and configuration that the CRI implementation will use to handle pods of this class. The possible values are specific to the node & CRI configuration. It is assumed that all handlers are available on every node, and handlers of the same name are equivalent on every node. For example, a handler called \"runc\" might specify that the runc OCI runtime (using native Linux containers) will be used to run the containers in a pod. The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, and is immutable.","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"overhead":{"description":"overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see\n https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/","$ref":"#/definitions/io.k8s.api.node.v1.Overhead"},"scheduling":{"description":"scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes.","$ref":"#/definitions/io.k8s.api.node.v1.Scheduling"}},"x-kubernetes-group-version-kind":[{"group":"node.k8s.io","kind":"RuntimeClass","version":"v1"}]},"io.k8s.api.node.v1.RuntimeClassList":{"description":"RuntimeClassList is a list of RuntimeClass objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is a list of schema objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.node.v1.RuntimeClass"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"node.k8s.io","kind":"RuntimeClassList","version":"v1"}]},"io.k8s.api.node.v1.Scheduling":{"description":"Scheduling specifies the scheduling constraints for nodes supporting a RuntimeClass.","type":"object","properties":{"nodeSelector":{"description":"nodeSelector lists labels that must be present on nodes that support this RuntimeClass. Pods using this RuntimeClass can only be scheduled to a node matched by this selector. The RuntimeClass nodeSelector is merged with a pod's existing nodeSelector. Any conflicts will cause the pod to be rejected in admission.","type":"object","additionalProperties":{"type":"string"},"x-kubernetes-map-type":"atomic"},"tolerations":{"description":"tolerations are appended (excluding duplicates) to pods running with this RuntimeClass during admission, effectively unioning the set of nodes tolerated by the pod and the RuntimeClass.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Toleration"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.policy.v1.Eviction":{"description":"Eviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod. A request to cause such an eviction is created by POSTing to .../pods//evictions.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"deleteOptions":{"description":"DeleteOptions may be provided","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"ObjectMeta describes the pod that is being evicted.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"}},"x-kubernetes-group-version-kind":[{"group":"policy","kind":"Eviction","version":"v1"}]},"io.k8s.api.policy.v1.PodDisruptionBudget":{"description":"PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Specification of the desired behavior of the PodDisruptionBudget.","$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec"},"status":{"description":"Most recently observed status of the PodDisruptionBudget.","$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetStatus"}},"x-kubernetes-group-version-kind":[{"group":"policy","kind":"PodDisruptionBudget","version":"v1"}]},"io.k8s.api.policy.v1.PodDisruptionBudgetList":{"description":"PodDisruptionBudgetList is a collection of PodDisruptionBudgets.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is a list of PodDisruptionBudgets","type":"array","items":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"policy","kind":"PodDisruptionBudgetList","version":"v1"}]},"io.k8s.api.policy.v1.PodDisruptionBudgetSpec":{"description":"PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.","type":"object","properties":{"maxUnavailable":{"description":"An eviction is allowed if at most \"maxUnavailable\" pods selected by \"selector\" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with \"minAvailable\".","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"},"minAvailable":{"description":"An eviction is allowed if at least \"minAvailable\" pods selected by \"selector\" will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying \"100%\".","$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"},"selector":{"description":"Label query over pods whose evictions are managed by the disruption budget. A null selector will match no pods, while an empty ({}) selector will select all pods within the namespace.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector","x-kubernetes-patch-strategy":"replace"},"unhealthyPodEvictionPolicy":{"description":"UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods should be considered for eviction. Current implementation considers healthy pods, as pods that have status.conditions item with type=\"Ready\",status=\"True\".\n\nValid policies are IfHealthyBudget and AlwaysAllow. If no policy is specified, the default behavior will be used, which corresponds to the IfHealthyBudget policy.\n\nIfHealthyBudget policy means that running pods (status.phase=\"Running\"), but not yet healthy can be evicted only if the guarded application is not disrupted (status.currentHealthy is at least equal to status.desiredHealthy). Healthy pods will be subject to the PDB for eviction.\n\nAlwaysAllow policy means that all running pods (status.phase=\"Running\"), but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met. This means perspective running pods of a disrupted application might not get a chance to become healthy. Healthy pods will be subject to the PDB for eviction.\n\nAdditional policies may be added in the future. Clients making eviction decisions should disallow eviction of unhealthy pods if they encounter an unrecognized policy in this field.\n\nThis field is beta-level. The eviction API uses this field when the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default).\n\nPossible enum values:\n - `\"AlwaysAllow\"` policy means that all running pods (status.phase=\"Running\"), but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met. This means perspective running pods of a disrupted application might not get a chance to become healthy. Healthy pods will be subject to the PDB for eviction.\n - `\"IfHealthyBudget\"` policy means that running pods (status.phase=\"Running\"), but not yet healthy can be evicted only if the guarded application is not disrupted (status.currentHealthy is at least equal to status.desiredHealthy). Healthy pods will be subject to the PDB for eviction.","type":"string","enum":["AlwaysAllow","IfHealthyBudget"]}}},"io.k8s.api.policy.v1.PodDisruptionBudgetStatus":{"description":"PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.","type":"object","required":["disruptionsAllowed","currentHealthy","desiredHealthy","expectedPods"],"properties":{"conditions":{"description":"Conditions contain conditions for PDB. The disruption controller sets the DisruptionAllowed condition. The following are known values for the reason field (additional reasons could be added in the future): - SyncFailed: The controller encountered an error and wasn't able to compute\n the number of allowed disruptions. Therefore no disruptions are\n allowed and the status of the condition will be False.\n- InsufficientPods: The number of pods are either at or below the number\n required by the PodDisruptionBudget. No disruptions are\n allowed and the status of the condition will be False.\n- SufficientPods: There are more pods than required by the PodDisruptionBudget.\n The condition will be True, and the number of allowed\n disruptions are provided by the disruptionsAllowed property.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"currentHealthy":{"description":"current number of healthy pods","type":"integer","format":"int32"},"desiredHealthy":{"description":"minimum desired number of healthy pods","type":"integer","format":"int32"},"disruptedPods":{"description":"DisruptedPods contains information about pods whose eviction was processed by the API server eviction subresource handler but has not yet been observed by the PodDisruptionBudget controller. A pod will be in this map from the time when the API server processed the eviction request to the time when the pod is seen by PDB controller as having been marked for deletion (or after a timeout). The key in the map is the name of the pod and the value is the time when the API server processed the eviction request. If the deletion didn't occur and a pod is still there it will be removed from the list automatically by PodDisruptionBudget controller after some time. If everything goes smooth this map should be empty for the most of the time. Large number of entries in the map may indicate problems with pod deletions.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"}},"disruptionsAllowed":{"description":"Number of pod disruptions that are currently allowed.","type":"integer","format":"int32"},"expectedPods":{"description":"total number of pods counted by this disruption budget","type":"integer","format":"int32"},"observedGeneration":{"description":"Most recent generation observed when updating this PDB status. DisruptionsAllowed and other status information is valid only if observedGeneration equals to PDB's object generation.","type":"integer","format":"int64"}}},"io.k8s.api.rbac.v1.AggregationRule":{"description":"AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole","type":"object","properties":{"clusterRoleSelectors":{"description":"ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.rbac.v1.ClusterRole":{"description":"ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.","type":"object","properties":{"aggregationRule":{"description":"AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be stomped by the controller.","$ref":"#/definitions/io.k8s.api.rbac.v1.AggregationRule"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"rules":{"description":"Rules holds all the PolicyRules for this ClusterRole","type":"array","items":{"$ref":"#/definitions/io.k8s.api.rbac.v1.PolicyRule"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-group-version-kind":[{"group":"rbac.authorization.k8s.io","kind":"ClusterRole","version":"v1"}]},"io.k8s.api.rbac.v1.ClusterRoleBinding":{"description":"ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.","type":"object","required":["roleRef"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"roleRef":{"description":"RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable.","$ref":"#/definitions/io.k8s.api.rbac.v1.RoleRef"},"subjects":{"description":"Subjects holds references to the objects the role applies to.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.rbac.v1.Subject"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-group-version-kind":[{"group":"rbac.authorization.k8s.io","kind":"ClusterRoleBinding","version":"v1"}]},"io.k8s.api.rbac.v1.ClusterRoleBindingList":{"description":"ClusterRoleBindingList is a collection of ClusterRoleBindings","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is a list of ClusterRoleBindings","type":"array","items":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"rbac.authorization.k8s.io","kind":"ClusterRoleBindingList","version":"v1"}]},"io.k8s.api.rbac.v1.ClusterRoleList":{"description":"ClusterRoleList is a collection of ClusterRoles","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is a list of ClusterRoles","type":"array","items":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRole"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"rbac.authorization.k8s.io","kind":"ClusterRoleList","version":"v1"}]},"io.k8s.api.rbac.v1.PolicyRule":{"description":"PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.","type":"object","required":["verbs"],"properties":{"apiGroups":{"description":"APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"nonResourceURLs":{"description":"NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resourceNames":{"description":"ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"resources":{"description":"Resources is a list of resources this rule applies to. '*' represents all resources.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"verbs":{"description":"Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.rbac.v1.Role":{"description":"Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"rules":{"description":"Rules holds all the PolicyRules for this Role","type":"array","items":{"$ref":"#/definitions/io.k8s.api.rbac.v1.PolicyRule"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-group-version-kind":[{"group":"rbac.authorization.k8s.io","kind":"Role","version":"v1"}]},"io.k8s.api.rbac.v1.RoleBinding":{"description":"RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.","type":"object","required":["roleRef"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"roleRef":{"description":"RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable.","$ref":"#/definitions/io.k8s.api.rbac.v1.RoleRef"},"subjects":{"description":"Subjects holds references to the objects the role applies to.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.rbac.v1.Subject"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-group-version-kind":[{"group":"rbac.authorization.k8s.io","kind":"RoleBinding","version":"v1"}]},"io.k8s.api.rbac.v1.RoleBindingList":{"description":"RoleBindingList is a collection of RoleBindings","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is a list of RoleBindings","type":"array","items":{"$ref":"#/definitions/io.k8s.api.rbac.v1.RoleBinding"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"rbac.authorization.k8s.io","kind":"RoleBindingList","version":"v1"}]},"io.k8s.api.rbac.v1.RoleList":{"description":"RoleList is a collection of Roles","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is a list of Roles","type":"array","items":{"$ref":"#/definitions/io.k8s.api.rbac.v1.Role"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"rbac.authorization.k8s.io","kind":"RoleList","version":"v1"}]},"io.k8s.api.rbac.v1.RoleRef":{"description":"RoleRef contains information that points to the role being used","type":"object","required":["apiGroup","kind","name"],"properties":{"apiGroup":{"description":"APIGroup is the group for the resource being referenced","type":"string"},"kind":{"description":"Kind is the type of resource being referenced","type":"string"},"name":{"description":"Name is the name of resource being referenced","type":"string"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.rbac.v1.Subject":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"},"io.k8s.api.scheduling.v1.PriorityClass":{"description":"PriorityClass defines mapping from a priority class name to the priority integer value. The value can be any valid integer.","type":"object","required":["value"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"description":{"description":"description is an arbitrary string that usually provides guidelines on when this priority class should be used.","type":"string"},"globalDefault":{"description":"globalDefault specifies whether this PriorityClass should be considered as the default priority for pods that do not have any priority class. Only one PriorityClass can be marked as `globalDefault`. However, if more than one PriorityClasses exists with their `globalDefault` field set to true, the smallest value of such global default PriorityClasses will be used as the default priority.","type":"boolean"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"preemptionPolicy":{"description":"preemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.\n\nPossible enum values:\n - `\"Never\"` means that pod never preempts other pods with lower priority.\n - `\"PreemptLowerPriority\"` means that pod can preempt other pods with lower priority.","type":"string","enum":["Never","PreemptLowerPriority"]},"value":{"description":"value represents the integer value of this priority class. This is the actual priority that pods receive when they have the name of this class in their pod spec.","type":"integer","format":"int32"}},"x-kubernetes-group-version-kind":[{"group":"scheduling.k8s.io","kind":"PriorityClass","version":"v1"}]},"io.k8s.api.scheduling.v1.PriorityClassList":{"description":"PriorityClassList is a collection of priority classes.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of PriorityClasses","type":"array","items":{"$ref":"#/definitions/io.k8s.api.scheduling.v1.PriorityClass"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"scheduling.k8s.io","kind":"PriorityClassList","version":"v1"}]},"io.k8s.api.storage.v1.CSIDriver":{"description":"CSIDriver captures information about a Container Storage Interface (CSI) volume driver deployed on the cluster. Kubernetes attach detach controller uses this object to determine whether attach is required. Kubelet uses this object to determine whether pod information needs to be passed on mount. CSIDriver objects are non-namespaced.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata. metadata.Name indicates the name of the CSI driver that this object refers to; it MUST be the same name returned by the CSI GetPluginName() call for that driver. The driver name must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), dots (.), and alphanumerics between. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec represents the specification of the CSI Driver.","$ref":"#/definitions/io.k8s.api.storage.v1.CSIDriverSpec"}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"CSIDriver","version":"v1"}]},"io.k8s.api.storage.v1.CSIDriverList":{"description":"CSIDriverList is a collection of CSIDriver objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of CSIDriver","type":"array","items":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIDriver"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"CSIDriverList","version":"v1"}]},"io.k8s.api.storage.v1.CSIDriverSpec":{"description":"CSIDriverSpec is the specification of a CSIDriver.","type":"object","properties":{"attachRequired":{"description":"attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the CSIDriverRegistry feature gate is enabled and the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called.\n\nThis field is immutable.","type":"boolean"},"fsGroupPolicy":{"description":"fsGroupPolicy defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Refer to the specific FSGroupPolicy values for additional details.\n\nThis field was immutable in Kubernetes < 1.29 and now is mutable.\n\nDefaults to ReadWriteOnceWithFSType, which will examine each volume to determine if Kubernetes should modify ownership and permissions of the volume. With the default policy the defined fsGroup will only be applied if a fstype is defined and the volume's access mode contains ReadWriteOnce.","type":"string"},"podInfoOnMount":{"description":"podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations, if set to true. If set to false, pod information will not be passed on mount. Default is false.\n\nThe CSI driver specifies podInfoOnMount as part of driver deployment. If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. The CSI driver is responsible for parsing and validating the information passed in as VolumeContext.\n\nThe following VolumeContext will be passed if podInfoOnMount is set to true. This list might grow, but the prefix will be used. \"csi.storage.k8s.io/pod.name\": pod.Name \"csi.storage.k8s.io/pod.namespace\": pod.Namespace \"csi.storage.k8s.io/pod.uid\": string(pod.UID) \"csi.storage.k8s.io/ephemeral\": \"true\" if the volume is an ephemeral inline volume\n defined by a CSIVolumeSource, otherwise \"false\"\n\n\"csi.storage.k8s.io/ephemeral\" is a new feature in Kubernetes 1.16. It is only required for drivers which support both the \"Persistent\" and \"Ephemeral\" VolumeLifecycleMode. Other drivers can leave pod info disabled and/or ignore this field. As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when deployed on such a cluster and the deployment determines which mode that is, for example via a command line parameter of the driver.\n\nThis field was immutable in Kubernetes < 1.29 and now is mutable.","type":"boolean"},"requiresRepublish":{"description":"requiresRepublish indicates the CSI driver wants `NodePublishVolume` being periodically called to reflect any possible change in the mounted volume. This field defaults to false.\n\nNote: After a successful initial NodePublishVolume call, subsequent calls to NodePublishVolume should only update the contents of the volume. New mount points will not be seen by a running container.","type":"boolean"},"seLinuxMount":{"description":"seLinuxMount specifies if the CSI driver supports \"-o context\" mount option.\n\nWhen \"true\", the CSI driver must ensure that all volumes provided by this CSI driver can be mounted separately with different `-o context` options. This is typical for storage backends that provide volumes as filesystems on block devices or as independent shared volumes. Kubernetes will call NodeStage / NodePublish with \"-o context=xyz\" mount option when mounting a ReadWriteOncePod volume used in Pod that has explicitly set SELinux context. In the future, it may be expanded to other volume AccessModes. In any case, Kubernetes will ensure that the volume is mounted only with a single SELinux context.\n\nWhen \"false\", Kubernetes won't pass any special SELinux mount options to the driver. This is typical for volumes that represent subdirectories of a bigger shared filesystem.\n\nDefault is \"false\".","type":"boolean"},"storageCapacity":{"description":"storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage capacity that the driver deployment will report by creating CSIStorageCapacity objects with capacity information, if set to true.\n\nThe check can be enabled immediately when deploying a driver. In that case, provisioning new volumes with late binding will pause until the driver deployment has published some suitable CSIStorageCapacity object.\n\nAlternatively, the driver can be deployed with the field unset or false and it can be flipped later when storage capacity information has been published.\n\nThis field was immutable in Kubernetes <= 1.22 and now is mutable.","type":"boolean"},"tokenRequests":{"description":"tokenRequests indicates the CSI driver needs pods' service account tokens it is mounting volume for to do necessary authentication. Kubelet will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. The CSI driver should parse and validate the following VolumeContext: \"csi.storage.k8s.io/serviceAccount.tokens\": {\n \"\": {\n \"token\": ,\n \"expirationTimestamp\": ,\n },\n ...\n}\n\nNote: Audience in each TokenRequest should be different and at most one token is empty string. To receive a new token after expiry, RequiresRepublish can be used to trigger NodePublishVolume periodically.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.storage.v1.TokenRequest"},"x-kubernetes-list-type":"atomic"},"volumeLifecycleModes":{"description":"volumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is \"Persistent\", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism.\n\nThe other mode is \"Ephemeral\". In this mode, volumes are defined inline inside the pod spec with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume.\n\nFor more information about implementing this mode, see https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html A driver can support one or more of these modes and more modes may be added in the future.\n\nThis field is beta. This field is immutable.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set"}}},"io.k8s.api.storage.v1.CSINode":{"description":"CSINode holds information about all CSI drivers installed on a node. CSI drivers do not need to create the CSINode object directly. As long as they use the node-driver-registrar sidecar container, the kubelet will automatically populate the CSINode object for the CSI driver as part of kubelet plugin registration. CSINode has the same name as a node. If the object is missing, it means either there are no CSI Drivers available on the node, or the Kubelet version is low enough that it doesn't create this object. CSINode has an OwnerReference that points to the corresponding node object.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. metadata.name must be the Kubernetes node name.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec is the specification of CSINode","$ref":"#/definitions/io.k8s.api.storage.v1.CSINodeSpec"}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"CSINode","version":"v1"}]},"io.k8s.api.storage.v1.CSINodeDriver":{"description":"CSINodeDriver holds information about the specification of one CSI driver installed on a node","type":"object","required":["name","nodeID"],"properties":{"allocatable":{"description":"allocatable represents the volume resources of a node that are available for scheduling. This field is beta.","$ref":"#/definitions/io.k8s.api.storage.v1.VolumeNodeResources"},"name":{"description":"name represents the name of the CSI driver that this object refers to. This MUST be the same name returned by the CSI GetPluginName() call for that driver.","type":"string"},"nodeID":{"description":"nodeID of the node from the driver point of view. This field enables Kubernetes to communicate with storage systems that do not share the same nomenclature for nodes. For example, Kubernetes may refer to a given node as \"node1\", but the storage system may refer to the same node as \"nodeA\". When Kubernetes issues a command to the storage system to attach a volume to a specific node, it can use this field to refer to the node name using the ID that the storage system will understand, e.g. \"nodeA\" instead of \"node1\". This field is required.","type":"string"},"topologyKeys":{"description":"topologyKeys is the list of keys supported by the driver. When a driver is initialized on a cluster, it provides a set of topology keys that it understands (e.g. \"company.com/zone\", \"company.com/region\"). When a driver is initialized on a node, it provides the same topology keys along with values. Kubelet will expose these topology keys as labels on its own node object. When Kubernetes does topology aware provisioning, it can use this list to determine which labels it should retrieve from the node object and pass back to the driver. It is possible for different nodes to use different topology keys. This can be empty if driver does not support topology.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.api.storage.v1.CSINodeList":{"description":"CSINodeList is a collection of CSINode objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of CSINode","type":"array","items":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSINode"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"CSINodeList","version":"v1"}]},"io.k8s.api.storage.v1.CSINodeSpec":{"description":"CSINodeSpec holds information about the specification of all CSI drivers installed on a node","type":"object","required":["drivers"],"properties":{"drivers":{"description":"drivers is a list of information of all CSI Drivers existing on a node. If all drivers in the list are uninstalled, this can become empty.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSINodeDriver"},"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge"}}},"io.k8s.api.storage.v1.CSIStorageCapacity":{"description":"CSIStorageCapacity stores the result of one CSI GetCapacity call. For a given StorageClass, this describes the available capacity in a particular topology segment. This can be used when considering where to instantiate new PersistentVolumes.\n\nFor example this can express things like: - StorageClass \"standard\" has \"1234 GiB\" available in \"topology.kubernetes.io/zone=us-east1\" - StorageClass \"localssd\" has \"10 GiB\" available in \"kubernetes.io/hostname=knode-abc123\"\n\nThe following three cases all imply that no capacity is available for a certain combination: - no object exists with suitable topology and storage class name - such an object exists, but the capacity is unset - such an object exists, but the capacity is zero\n\nThe producer of these objects can decide which approach is more suitable.\n\nThey are consumed by the kube-scheduler when a CSI driver opts into capacity-aware scheduling with CSIDriverSpec.StorageCapacity. The scheduler compares the MaximumVolumeSize against the requested size of pending volumes to filter out unsuitable nodes. If MaximumVolumeSize is unset, it falls back to a comparison against the less precise Capacity. If that is also unset, the scheduler assumes that capacity is insufficient and tries some other node.","type":"object","required":["storageClassName"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"capacity":{"description":"capacity is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.\n\nThe semantic is currently (CSI spec 1.2) defined as: The available capacity, in bytes, of the storage that can be used to provision volumes. If not set, that information is currently unavailable.","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"maximumVolumeSize":{"description":"maximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.\n\nThis is defined since CSI spec 1.4.0 as the largest size that may be used in a CreateVolumeRequest.capacity_range.required_bytes field to create a volume with the same parameters as those in GetCapacityRequest. The corresponding value in the Kubernetes API is ResourceRequirements.Requests in a volume claim.","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"metadata":{"description":"Standard object's metadata. The name has no particular meaning. It must be a DNS subdomain (dots allowed, 253 characters). To ensure that there are no conflicts with other CSI drivers on the cluster, the recommendation is to use csisc-, a generated name, or a reverse-domain name which ends with the unique CSI driver name.\n\nObjects are namespaced.\n\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"nodeTopology":{"description":"nodeTopology defines which nodes have access to the storage for which capacity was reported. If not set, the storage is not accessible from any node in the cluster. If empty, the storage is accessible from all nodes. This field is immutable.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"storageClassName":{"description":"storageClassName represents the name of the StorageClass that the reported capacity applies to. It must meet the same requirements as the name of a StorageClass object (non-empty, DNS subdomain). If that object no longer exists, the CSIStorageCapacity object is obsolete and should be removed by its creator. This field is immutable.","type":"string"}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"CSIStorageCapacity","version":"v1"}]},"io.k8s.api.storage.v1.CSIStorageCapacityList":{"description":"CSIStorageCapacityList is a collection of CSIStorageCapacity objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of CSIStorageCapacity objects.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSIStorageCapacity"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"CSIStorageCapacityList","version":"v1"}]},"io.k8s.api.storage.v1.StorageClass":{"description":"StorageClass describes the parameters for a class of storage for which PersistentVolumes can be dynamically provisioned.\n\nStorageClasses are non-namespaced; the name of the storage class according to etcd is in ObjectMeta.Name.","type":"object","required":["provisioner"],"properties":{"allowVolumeExpansion":{"description":"allowVolumeExpansion shows whether the storage class allow volume expand.","type":"boolean"},"allowedTopologies":{"description":"allowedTopologies restrict the node topologies where volumes can be dynamically provisioned. Each volume plugin defines its own supported topology specifications. An empty TopologySelectorTerm list means there is no topology restriction. This field is only honored by servers that enable the VolumeScheduling feature.","type":"array","items":{"$ref":"#/definitions/io.k8s.api.core.v1.TopologySelectorTerm"},"x-kubernetes-list-type":"atomic"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"mountOptions":{"description":"mountOptions controls the mountOptions for dynamically provisioned PersistentVolumes of this storage class. e.g. [\"ro\", \"soft\"]. Not validated - mount of the PVs will simply fail if one is invalid.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"parameters":{"description":"parameters holds the parameters for the provisioner that should create volumes of this storage class.","type":"object","additionalProperties":{"type":"string"}},"provisioner":{"description":"provisioner indicates the type of the provisioner.","type":"string"},"reclaimPolicy":{"description":"reclaimPolicy controls the reclaimPolicy for dynamically provisioned PersistentVolumes of this storage class. Defaults to Delete.\n\nPossible enum values:\n - `\"Delete\"` means the volume will be deleted from Kubernetes on release from its claim. The volume plugin must support Deletion.\n - `\"Recycle\"` means the volume will be recycled back into the pool of unbound persistent volumes on release from its claim. The volume plugin must support Recycling.\n - `\"Retain\"` means the volume will be left in its current phase (Released) for manual reclamation by the administrator. The default policy is Retain.","type":"string","enum":["Delete","Recycle","Retain"]},"volumeBindingMode":{"description":"volumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is only honored by servers that enable the VolumeScheduling feature.\n\nPossible enum values:\n - `\"Immediate\"` indicates that PersistentVolumeClaims should be immediately provisioned and bound. This is the default mode.\n - `\"WaitForFirstConsumer\"` indicates that PersistentVolumeClaims should not be provisioned and bound until the first Pod is created that references the PeristentVolumeClaim. The volume provisioning and binding will occur during Pod scheduing.","type":"string","enum":["Immediate","WaitForFirstConsumer"]}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"StorageClass","version":"v1"}]},"io.k8s.api.storage.v1.StorageClassList":{"description":"StorageClassList is a collection of storage classes.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of StorageClasses","type":"array","items":{"$ref":"#/definitions/io.k8s.api.storage.v1.StorageClass"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"StorageClassList","version":"v1"}]},"io.k8s.api.storage.v1.TokenRequest":{"description":"TokenRequest contains parameters of a service account token.","type":"object","required":["audience"],"properties":{"audience":{"description":"audience is the intended audience of the token in \"TokenRequestSpec\". It will default to the audiences of kube apiserver.","type":"string"},"expirationSeconds":{"description":"expirationSeconds is the duration of validity of the token in \"TokenRequestSpec\". It has the same default value of \"ExpirationSeconds\" in \"TokenRequestSpec\".","type":"integer","format":"int64"}}},"io.k8s.api.storage.v1.VolumeAttachment":{"description":"VolumeAttachment captures the intent to attach or detach the specified volume to/from the specified node.\n\nVolumeAttachment objects are non-namespaced.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec represents specification of the desired attach/detach volume behavior. Populated by the Kubernetes system.","$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachmentSpec"},"status":{"description":"status represents status of the VolumeAttachment request. Populated by the entity completing the attach or detach operation, i.e. the external-attacher.","$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachmentStatus"}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"VolumeAttachment","version":"v1"}]},"io.k8s.api.storage.v1.VolumeAttachmentList":{"description":"VolumeAttachmentList is a collection of VolumeAttachment objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of VolumeAttachments","type":"array","items":{"$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachment"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"VolumeAttachmentList","version":"v1"}]},"io.k8s.api.storage.v1.VolumeAttachmentSource":{"description":"VolumeAttachmentSource represents a volume that should be attached. Right now only PersistenVolumes can be attached via external attacher, in future we may allow also inline volumes in pods. Exactly one member can be set.","type":"object","properties":{"inlineVolumeSpec":{"description":"inlineVolumeSpec contains all the information necessary to attach a persistent volume defined by a pod's inline VolumeSource. This field is populated only for the CSIMigration feature. It contains translated fields from a pod's inline VolumeSource to a PersistentVolumeSpec. This field is beta-level and is only honored by servers that enabled the CSIMigration feature.","$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeSpec"},"persistentVolumeName":{"description":"persistentVolumeName represents the name of the persistent volume to attach.","type":"string"}}},"io.k8s.api.storage.v1.VolumeAttachmentSpec":{"description":"VolumeAttachmentSpec is the specification of a VolumeAttachment request.","type":"object","required":["attacher","source","nodeName"],"properties":{"attacher":{"description":"attacher indicates the name of the volume driver that MUST handle this request. This is the name returned by GetPluginName().","type":"string"},"nodeName":{"description":"nodeName represents the node that the volume should be attached to.","type":"string"},"source":{"description":"source represents the volume that should be attached.","$ref":"#/definitions/io.k8s.api.storage.v1.VolumeAttachmentSource"}}},"io.k8s.api.storage.v1.VolumeAttachmentStatus":{"description":"VolumeAttachmentStatus is the status of a VolumeAttachment request.","type":"object","required":["attached"],"properties":{"attachError":{"description":"attachError represents the last error encountered during attach operation, if any. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.","$ref":"#/definitions/io.k8s.api.storage.v1.VolumeError"},"attached":{"description":"attached indicates the volume is successfully attached. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.","type":"boolean"},"attachmentMetadata":{"description":"attachmentMetadata is populated with any information returned by the attach operation, upon successful attach, that must be passed into subsequent WaitForAttach or Mount calls. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.","type":"object","additionalProperties":{"type":"string"}},"detachError":{"description":"detachError represents the last error encountered during detach operation, if any. This field must only be set by the entity completing the detach operation, i.e. the external-attacher.","$ref":"#/definitions/io.k8s.api.storage.v1.VolumeError"}}},"io.k8s.api.storage.v1.VolumeError":{"description":"VolumeError captures an error encountered during a volume operation.","type":"object","properties":{"message":{"description":"message represents the error encountered during Attach or Detach operation. This string may be logged, so it should not contain sensitive information.","type":"string"},"time":{"description":"time represents the time the error was encountered.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"}}},"io.k8s.api.storage.v1.VolumeNodeResources":{"description":"VolumeNodeResources is a set of resource limits for scheduling of volumes.","type":"object","properties":{"count":{"description":"count indicates the maximum number of unique volumes managed by the CSI driver that can be used on a node. A volume that is both attached and mounted on a node is considered to be used once, not twice. The same rule applies for a unique volume that is shared among multiple pods on the same node. If this field is not specified, then the supported number of volumes on this node is unbounded.","type":"integer","format":"int32"}}},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceColumnDefinition":{"description":"CustomResourceColumnDefinition specifies a column for server side printing.","type":"object","required":["name","type","jsonPath"],"properties":{"description":{"description":"description is a human readable description of this column.","type":"string"},"format":{"description":"format is an optional OpenAPI type definition for this column. The 'name' format is applied to the primary identifier column to assist in clients identifying column is the resource name. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.","type":"string"},"jsonPath":{"description":"jsonPath is a simple JSON path (i.e. with array notation) which is evaluated against each custom resource to produce the value for this column.","type":"string"},"name":{"description":"name is a human readable name for the column.","type":"string"},"priority":{"description":"priority is an integer defining the relative importance of this column compared to others. Lower numbers are considered higher priority. Columns that may be omitted in limited space scenarios should be given a priority greater than 0.","type":"integer","format":"int32"},"type":{"description":"type is an OpenAPI type definition for this column. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.","type":"string"}}},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceConversion":{"description":"CustomResourceConversion describes how to convert different versions of a CR.","type":"object","required":["strategy"],"properties":{"strategy":{"description":"strategy specifies how custom resources are converted between versions. Allowed values are: - `\"None\"`: The converter only change the apiVersion and would not touch any other field in the custom resource. - `\"Webhook\"`: API Server will call to an external webhook to do the conversion. Additional information\n is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set.","type":"string"},"webhook":{"description":"webhook describes how to call the conversion webhook. Required when `strategy` is set to `\"Webhook\"`.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.WebhookConversion"}}},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition":{"description":"CustomResourceDefinition represents a resource that should be exposed on the API server. Its name MUST be in the format <.spec.name>.<.spec.group>.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"spec describes how the user wants the resources to appear","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionSpec"},"status":{"description":"status indicates the actual state of the CustomResourceDefinition","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionStatus"}},"x-kubernetes-group-version-kind":[{"group":"apiextensions.k8s.io","kind":"CustomResourceDefinition","version":"v1"}]},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionCondition":{"description":"CustomResourceDefinitionCondition contains details for the current condition of this pod.","type":"object","required":["type","status"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"message is a human-readable message indicating details about last transition.","type":"string"},"reason":{"description":"reason is a unique, one-word, CamelCase reason for the condition's last transition.","type":"string"},"status":{"description":"status is the status of the condition. Can be True, False, Unknown.","type":"string"},"type":{"description":"type is the type of the condition. Types include Established, NamesAccepted and Terminating.","type":"string"}}},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionList":{"description":"CustomResourceDefinitionList is a list of CustomResourceDefinition objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items list individual CustomResourceDefinition objects","type":"array","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"apiextensions.k8s.io","kind":"CustomResourceDefinitionList","version":"v1"}]},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionNames":{"description":"CustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinition","type":"object","required":["plural","kind"],"properties":{"categories":{"description":"categories is a list of grouped resources this custom resource belongs to (e.g. 'all'). This is published in API discovery documents, and used by clients to support invocations like `kubectl get all`.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"kind":{"description":"kind is the serialized kind of the resource. It is normally CamelCase and singular. Custom resource instances will use this value as the `kind` attribute in API calls.","type":"string"},"listKind":{"description":"listKind is the serialized kind of the list for this resource. Defaults to \"`kind`List\".","type":"string"},"plural":{"description":"plural is the plural name of the resource to serve. The custom resources are served under `/apis///.../`. Must match the name of the CustomResourceDefinition (in the form `.`). Must be all lowercase.","type":"string"},"shortNames":{"description":"shortNames are short names for the resource, exposed in API discovery documents, and used by clients to support invocations like `kubectl get `. It must be all lowercase.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"singular":{"description":"singular is the singular name of the resource. It must be all lowercase. Defaults to lowercased `kind`.","type":"string"}}},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionSpec":{"description":"CustomResourceDefinitionSpec describes how a user wants their resource to appear","type":"object","required":["group","names","scope","versions"],"properties":{"conversion":{"description":"conversion defines conversion settings for the CRD.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceConversion"},"group":{"description":"group is the API group of the defined custom resource. The custom resources are served under `/apis//...`. Must match the name of the CustomResourceDefinition (in the form `.`).","type":"string"},"names":{"description":"names specify the resource and kind names for the custom resource.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionNames"},"preserveUnknownFields":{"description":"preserveUnknownFields indicates that object fields which are not specified in the OpenAPI schema should be preserved when persisting to storage. apiVersion, kind, metadata and known fields inside metadata are always preserved. This field is deprecated in favor of setting `x-preserve-unknown-fields` to true in `spec.versions[*].schema.openAPIV3Schema`. See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#field-pruning for details.","type":"boolean"},"scope":{"description":"scope indicates whether the defined custom resource is cluster- or namespace-scoped. Allowed values are `Cluster` and `Namespaced`.","type":"string"},"versions":{"description":"versions is the list of all API versions of the defined custom resource. Version names are used to compute the order in which served versions are listed in API discovery. If the version string is \"kube-like\", it will sort above non \"kube-like\" version strings, which are ordered lexicographically. \"Kube-like\" versions start with a \"v\", then are followed by a number (the major version), then optionally the string \"alpha\" or \"beta\" and another number (the minor version). These are sorted first by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing major version, then minor version. An example sorted list of versions: v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.","type":"array","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionVersion"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionStatus":{"description":"CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition","type":"object","properties":{"acceptedNames":{"description":"acceptedNames are the names that are actually being used to serve discovery. They may be different than the names in spec.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionNames"},"conditions":{"description":"conditions indicate state for particular aspects of a CustomResourceDefinition","type":"array","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"storedVersions":{"description":"storedVersions lists all versions of CustomResources that were ever persisted. Tracking these versions allows a migration path for stored versions in etcd. The field is mutable so a migration controller can finish a migration to another version (ensuring no old objects are left in storage), and then remove the rest of the versions from this list. Versions may not be removed from `spec.versions` while they exist in this list.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionVersion":{"description":"CustomResourceDefinitionVersion describes a version for CRD.","type":"object","required":["name","served","storage"],"properties":{"additionalPrinterColumns":{"description":"additionalPrinterColumns specifies additional columns returned in Table output. See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details. If no columns are specified, a single column displaying the age of the custom resource is used.","type":"array","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceColumnDefinition"},"x-kubernetes-list-type":"atomic"},"deprecated":{"description":"deprecated indicates this version of the custom resource API is deprecated. When set to true, API requests to this version receive a warning header in the server response. Defaults to false.","type":"boolean"},"deprecationWarning":{"description":"deprecationWarning overrides the default warning returned to API clients. May only be set when `deprecated` is true. The default warning indicates this version is deprecated and recommends use of the newest served version of equal or greater stability, if one exists.","type":"string"},"name":{"description":"name is the version name, e.g. “v1”, “v2beta1”, etc. The custom resources are served under this version at `/apis///...` if `served` is true.","type":"string"},"schema":{"description":"schema describes the schema used for validation, pruning, and defaulting of this version of the custom resource.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceValidation"},"selectableFields":{"description":"selectableFields specifies paths to fields that may be used as field selectors. A maximum of 8 selectable fields are allowed. See https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors","type":"array","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.SelectableField"},"x-kubernetes-list-type":"atomic"},"served":{"description":"served is a flag enabling/disabling this version from being served via REST APIs","type":"boolean"},"storage":{"description":"storage indicates this version should be used when persisting custom resources to storage. There must be exactly one version with storage=true.","type":"boolean"},"subresources":{"description":"subresources specify what subresources this version of the defined custom resource have.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresources"}}},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceScale":{"description":"CustomResourceSubresourceScale defines how to serve the scale subresource for CustomResources.","type":"object","required":["specReplicasPath","statusReplicasPath"],"properties":{"labelSelectorPath":{"description":"labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`. Only JSON paths without the array notation are allowed. Must be a JSON Path under `.status` or `.spec`. Must be set to work with HorizontalPodAutoscaler. The field pointed by this JSON path must be a string field (not a complex selector struct) which contains a serialized label selector in string form. More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale` subresource will default to the empty string.","type":"string"},"specReplicasPath":{"description":"specReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`. Only JSON paths without the array notation are allowed. Must be a JSON Path under `.spec`. If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET.","type":"string"},"statusReplicasPath":{"description":"statusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`. Only JSON paths without the array notation are allowed. Must be a JSON Path under `.status`. If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource will default to 0.","type":"string"}}},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceStatus":{"description":"CustomResourceSubresourceStatus defines how to serve the status subresource for CustomResources. Status is represented by the `.status` JSON path inside of a CustomResource. When set, * exposes a /status subresource for the custom resource * PUT requests to the /status subresource take a custom resource object, and ignore changes to anything except the status stanza * PUT/POST/PATCH requests to the custom resource ignore changes to the status stanza","type":"object"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresources":{"description":"CustomResourceSubresources defines the status and scale subresources for CustomResources.","type":"object","properties":{"scale":{"description":"scale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceScale"},"status":{"description":"status indicates the custom resource should serve a `/status` subresource. When enabled: 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object. 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceStatus"}}},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceValidation":{"description":"CustomResourceValidation is a list of validation methods for CustomResources.","type":"object","properties":{"openAPIV3Schema":{"description":"openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps"}}},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ExternalDocumentation":{"description":"ExternalDocumentation allows referencing an external resource for extended documentation.","type":"object","properties":{"description":{"type":"string"},"url":{"type":"string"}}},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSON":{"description":"JSON represents any valid JSON value. These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil."},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps":{"description":"JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-schema.org/).","type":"object","properties":{"$ref":{"type":"string"},"$schema":{"type":"string"},"additionalItems":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrBool"},"additionalProperties":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrBool"},"allOf":{"type":"array","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps"},"x-kubernetes-list-type":"atomic"},"anyOf":{"type":"array","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps"},"x-kubernetes-list-type":"atomic"},"default":{"description":"default is a default value for undefined object fields. Defaulting is a beta feature under the CustomResourceDefaulting feature gate. Defaulting requires spec.preserveUnknownFields to be false.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSON"},"definitions":{"type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps"}},"dependencies":{"type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrStringArray"}},"description":{"type":"string"},"enum":{"type":"array","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSON"},"x-kubernetes-list-type":"atomic"},"example":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSON"},"exclusiveMaximum":{"type":"boolean"},"exclusiveMinimum":{"type":"boolean"},"externalDocs":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ExternalDocumentation"},"format":{"description":"format is an OpenAPI v3 format string. Unknown formats are ignored. The following formats are validated:\n\n- bsonobjectid: a bson object ID, i.e. a 24 characters hex string - uri: an URI as parsed by Golang net/url.ParseRequestURI - email: an email address as parsed by Golang net/mail.ParseAddress - hostname: a valid representation for an Internet host name, as defined by RFC 1034, section 3.1 [RFC1034]. - ipv4: an IPv4 IP as parsed by Golang net.ParseIP - ipv6: an IPv6 IP as parsed by Golang net.ParseIP - cidr: a CIDR as parsed by Golang net.ParseCIDR - mac: a MAC address as parsed by Golang net.ParseMAC - uuid: an UUID that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$ - uuid3: an UUID3 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?3[0-9a-f]{3}-?[0-9a-f]{4}-?[0-9a-f]{12}$ - uuid4: an UUID4 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?4[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$ - uuid5: an UUID5 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?5[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$ - isbn: an ISBN10 or ISBN13 number string like \"0321751043\" or \"978-0321751041\" - isbn10: an ISBN10 number string like \"0321751043\" - isbn13: an ISBN13 number string like \"978-0321751041\" - creditcard: a credit card number defined by the regex ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11})$ with any non digit characters mixed in - ssn: a U.S. social security number following the regex ^\\d{3}[- ]?\\d{2}[- ]?\\d{4}$ - hexcolor: an hexadecimal color code like \"#FFFFFF: following the regex ^#?([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$ - rgbcolor: an RGB color code like rgb like \"rgb(255,255,2559\" - byte: base64 encoded binary data - password: any kind of string - date: a date string like \"2006-01-02\" as defined by full-date in RFC3339 - duration: a duration string like \"22 ns\" as parsed by Golang time.ParseDuration or compatible with Scala duration format - datetime: a date time string like \"2014-12-15T19:30:20.000Z\" as defined by date-time in RFC3339.","type":"string"},"id":{"type":"string"},"items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrArray"},"maxItems":{"type":"integer","format":"int64"},"maxLength":{"type":"integer","format":"int64"},"maxProperties":{"type":"integer","format":"int64"},"maximum":{"type":"number","format":"double"},"minItems":{"type":"integer","format":"int64"},"minLength":{"type":"integer","format":"int64"},"minProperties":{"type":"integer","format":"int64"},"minimum":{"type":"number","format":"double"},"multipleOf":{"type":"number","format":"double"},"not":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps"},"nullable":{"type":"boolean"},"oneOf":{"type":"array","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps"},"x-kubernetes-list-type":"atomic"},"pattern":{"type":"string"},"patternProperties":{"type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps"}},"properties":{"type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps"}},"required":{"type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"title":{"type":"string"},"type":{"type":"string"},"uniqueItems":{"type":"boolean"},"x-kubernetes-embedded-resource":{"description":"x-kubernetes-embedded-resource defines that the value is an embedded Kubernetes runtime.Object, with TypeMeta and ObjectMeta. The type must be object. It is allowed to further restrict the embedded object. kind, apiVersion and metadata are validated automatically. x-kubernetes-preserve-unknown-fields is allowed to be true, but does not have to be if the object is fully specified (up to kind, apiVersion, metadata).","type":"boolean"},"x-kubernetes-int-or-string":{"description":"x-kubernetes-int-or-string specifies that this value is either an integer or a string. If this is true, an empty type is allowed and type as child of anyOf is permitted if following one of the following patterns:\n\n1) anyOf:\n - type: integer\n - type: string\n2) allOf:\n - anyOf:\n - type: integer\n - type: string\n - ... zero or more","type":"boolean"},"x-kubernetes-list-map-keys":{"description":"x-kubernetes-list-map-keys annotates an array with the x-kubernetes-list-type `map` by specifying the keys used as the index of the map.\n\nThis tag MUST only be used on lists that have the \"x-kubernetes-list-type\" extension set to \"map\". Also, the values specified for this attribute must be a scalar typed field of the child structure (no nesting is supported).\n\nThe properties specified must either be required or have a default value, to ensure those properties are present for all list items.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"x-kubernetes-list-type":{"description":"x-kubernetes-list-type annotates an array to further describe its topology. This extension must only be used on lists and may have 3 possible values:\n\n1) `atomic`: the list is treated as a single entity, like a scalar.\n Atomic lists will be entirely replaced when updated. This extension\n may be used on any type of list (struct, scalar, ...).\n2) `set`:\n Sets are lists that must not have multiple items with the same value. Each\n value must be a scalar, an object with x-kubernetes-map-type `atomic` or an\n array with x-kubernetes-list-type `atomic`.\n3) `map`:\n These lists are like maps in that their elements have a non-index key\n used to identify them. Order is preserved upon merge. The map tag\n must only be used on a list with elements of type object.\nDefaults to atomic for arrays.","type":"string"},"x-kubernetes-map-type":{"description":"x-kubernetes-map-type annotates an object to further describe its topology. This extension must only be used when type is object and may have 2 possible values:\n\n1) `granular`:\n These maps are actual maps (key-value pairs) and each fields are independent\n from each other (they can each be manipulated by separate actors). This is\n the default behaviour for all maps.\n2) `atomic`: the list is treated as a single entity, like a scalar.\n Atomic maps will be entirely replaced when updated.","type":"string"},"x-kubernetes-preserve-unknown-fields":{"description":"x-kubernetes-preserve-unknown-fields stops the API server decoding step from pruning fields which are not specified in the validation schema. This affects fields recursively, but switches back to normal pruning behaviour if nested properties or additionalProperties are specified in the schema. This can either be true or undefined. False is forbidden.","type":"boolean"},"x-kubernetes-validations":{"description":"x-kubernetes-validations describes a list of validation rules written in the CEL expression language. This field is an alpha-level. Using this field requires the feature gate `CustomResourceValidationExpressions` to be enabled.","type":"array","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ValidationRule"},"x-kubernetes-list-map-keys":["rule"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"rule","x-kubernetes-patch-strategy":"merge"}}},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrArray":{"description":"JSONSchemaPropsOrArray represents a value that can either be a JSONSchemaProps or an array of JSONSchemaProps. Mainly here for serialization purposes."},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrBool":{"description":"JSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value. Defaults to true for the boolean property."},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrStringArray":{"description":"JSONSchemaPropsOrStringArray represents a JSONSchemaProps or a string array."},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.SelectableField":{"description":"SelectableField specifies the JSON path of a field that may be used with field selectors.","type":"object","required":["jsonPath"],"properties":{"jsonPath":{"description":"jsonPath is a simple JSON path which is evaluated against each custom resource to produce a field selector value. Only JSON paths without the array notation are allowed. Must point to a field of type string, boolean or integer. Types with enum values and strings with formats are allowed. If jsonPath refers to absent field in a resource, the jsonPath evaluates to an empty string. Must not point to metdata fields. Required.","type":"string"}}},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ServiceReference":{"description":"ServiceReference holds a reference to Service.legacy.k8s.io","type":"object","required":["namespace","name"],"properties":{"name":{"description":"name is the name of the service. Required","type":"string"},"namespace":{"description":"namespace is the namespace of the service. Required","type":"string"},"path":{"description":"path is an optional URL path at which the webhook will be contacted.","type":"string"},"port":{"description":"port is an optional service port at which the webhook will be contacted. `port` should be a valid port number (1-65535, inclusive). Defaults to 443 for backward compatibility.","type":"integer","format":"int32"}}},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ValidationRule":{"description":"ValidationRule describes a validation rule written in the CEL expression language.","type":"object","required":["rule"],"properties":{"fieldPath":{"description":"fieldPath represents the field path returned when the validation fails. It must be a relative JSON path (i.e. with array notation) scoped to the location of this x-kubernetes-validations extension in the schema and refer to an existing field. e.g. when validation checks if a specific attribute `foo` under a map `testMap`, the fieldPath could be set to `.testMap.foo` If the validation checks two lists must have unique attributes, the fieldPath could be set to either of the list: e.g. `.testList` It does not support list numeric index. It supports child operation to refer to an existing field currently. Refer to [JSONPath support in Kubernetes](https://kubernetes.io/docs/reference/kubectl/jsonpath/) for more info. Numeric index of array is not supported. For field name which contains special characters, use `['specialName']` to refer the field name. e.g. for attribute `foo.34$` appears in a list `testList`, the fieldPath could be set to `.testList['foo.34$']`","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Rule contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\"","type":"string"},"messageExpression":{"description":"MessageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a rule, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the rule; the only difference is the return type. Example: \"x must be less than max (\"+string(self.max)+\")\"","type":"string"},"optionalOldSelf":{"description":"optionalOldSelf is used to opt a transition rule into evaluation even when the object is first created, or if the old object is missing the value.\n\nWhen enabled `oldSelf` will be a CEL optional whose value will be `None` if there is no old value, or when the object is initially created.\n\nYou may check for presence of oldSelf using `oldSelf.hasValue()` and unwrap it after checking using `oldSelf.value()`. Check the CEL documentation for Optional types for more information: https://pkg.go.dev/github.com/google/cel-go/cel#OptionalTypes\n\nMay not be set unless `oldSelf` is used in `rule`.","type":"boolean"},"reason":{"description":"reason provides a machine-readable validation failure reason that is returned to the caller when a request fails this validation rule. The HTTP status code returned to the caller will match the reason of the reason of the first failed validation rule. The currently supported reasons are: \"FieldValueInvalid\", \"FieldValueForbidden\", \"FieldValueRequired\", \"FieldValueDuplicate\". If not set, default to use \"FieldValueInvalid\". All future added reasons must be accepted by clients when reading this value and unknown reasons should be treated as FieldValueInvalid.\n\nPossible enum values:\n - `\"FieldValueDuplicate\"` is used to report collisions of values that must be unique (e.g. unique IDs).\n - `\"FieldValueForbidden\"` is used to report valid (as per formatting rules) values which would be accepted under some conditions, but which are not permitted by the current conditions (such as security policy).\n - `\"FieldValueInvalid\"` is used to report malformed values (e.g. failed regex match, too long, out of bounds).\n - `\"FieldValueRequired\"` is used to report required values that are not provided (e.g. empty strings, null values, or empty arrays).","type":"string","enum":["FieldValueDuplicate","FieldValueForbidden","FieldValueInvalid","FieldValueRequired"]},"rule":{"description":"Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the x-kubernetes-validations extension in the schema. The `self` variable in the CEL expression is bound to the scoped value. Example: - Rule scoped to the root of a resource with a status subresource: {\"rule\": \"self.status.actual <= self.spec.maxDesired\"}\n\nIf the Rule is scoped to an object with properties, the accessible properties of the object are field selectable via `self.field` and field presence can be checked via `has(self.field)`. Null valued fields are treated as absent fields in CEL expressions. If the Rule is scoped to an object with additionalProperties (i.e. a map) the value of the map are accessible via `self[mapKey]`, map containment can be checked via `mapKey in self` and all entries of the map are accessible via CEL macros and functions such as `self.all(...)`. If the Rule is scoped to an array, the elements of the array are accessible via `self[i]` and also by macros and functions. If the Rule is scoped to a scalar, `self` is bound to the scalar value. Examples: - Rule scoped to a map of objects: {\"rule\": \"self.components['Widget'].priority < 10\"} - Rule scoped to a list of integers: {\"rule\": \"self.values.all(value, value >= 0 && value < 100)\"} - Rule scoped to a string value: {\"rule\": \"self.startsWith('kube')\"}\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object and from any x-kubernetes-embedded-resource annotated objects. No other metadata properties are accessible.\n\nUnknown data preserved in custom resources via x-kubernetes-preserve-unknown-fields is not accessible in CEL expressions. This includes: - Unknown field values that are preserved by object schemas with x-kubernetes-preserve-unknown-fields. - Object properties where the property schema is of an \"unknown type\". An \"unknown type\" is recursively defined as:\n - A schema with no type and x-kubernetes-preserve-unknown-fields set to true\n - An array where the items schema is of an \"unknown type\"\n - An object where the additionalProperties schema is of an \"unknown type\"\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Rule accessing a property named \"namespace\": {\"rule\": \"self.__namespace__ > 0\"}\n - Rule accessing a property named \"x-prop\": {\"rule\": \"self.x__dash__prop > 0\"}\n - Rule accessing a property named \"redact__d\": {\"rule\": \"self.redact__underscores__d > 0\"}\n\nEquality on arrays with x-kubernetes-list-type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\n\nIf `rule` makes use of the `oldSelf` variable it is implicitly a `transition rule`.\n\nBy default, the `oldSelf` variable is the same type as `self`. When `optionalOldSelf` is true, the `oldSelf` variable is a CEL optional\n variable whose value() is the same type as `self`.\nSee the documentation for the `optionalOldSelf` field for details.\n\nTransition rules by default are applied only on UPDATE requests and are skipped if an old value could not be found. You can opt a transition rule into unconditional evaluation by setting `optionalOldSelf` to true.","type":"string"}}},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.WebhookClientConfig":{"description":"WebhookClientConfig contains the information to make a TLS connection with the webhook.","type":"object","properties":{"caBundle":{"description":"caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.","type":"string","format":"byte"},"service":{"description":"service is a reference to the service for this webhook. Either service or url must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ServiceReference"},"url":{"description":"url gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nThe scheme must be \"https\"; the URL must begin with \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.\n\nAttempting to use a user or basic auth e.g. \"user:password@\" is not allowed. Fragments (\"#...\") and query parameters (\"?...\") are not allowed, either.","type":"string"}}},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.WebhookConversion":{"description":"WebhookConversion describes how to call a conversion webhook","type":"object","required":["conversionReviewVersions"],"properties":{"clientConfig":{"description":"clientConfig is the instructions for how to call the webhook if strategy is `Webhook`.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.WebhookClientConfig"},"conversionReviewVersions":{"description":"conversionReviewVersions is an ordered list of preferred `ConversionReview` versions the Webhook expects. The API server will use the first version in the list which it supports. If none of the versions specified in this list are supported by API server, conversion will fail for the custom resource. If a persisted Webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.apimachinery.pkg.api.resource.Quantity":{"description":"Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and AsInt64() accessors.\n\nThe serialization format is:\n\n``` ::= \n\n\t(Note that may be empty, from the \"\" case in .)\n\n ::= 0 | 1 | ... | 9 ::= | ::= | . | . | . ::= \"+\" | \"-\" ::= | ::= | | ::= Ki | Mi | Gi | Ti | Pi | Ei\n\n\t(International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)\n\n ::= m | \"\" | k | M | G | T | P | E\n\n\t(Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)\n\n ::= \"e\" | \"E\" ```\n\nNo matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities.\n\nWhen a Quantity is parsed from a string, it will remember the type of suffix it had, and will use the same type again when it is serialized.\n\nBefore serializing, Quantity will be put in \"canonical form\". This means that Exponent/suffix will be adjusted up or down (with a corresponding increase or decrease in Mantissa) such that:\n\n- No precision is lost - No fractional digits will be emitted - The exponent (or suffix) is as large as possible.\n\nThe sign will be omitted unless the number is negative.\n\nExamples:\n\n- 1.5 will be serialized as \"1500m\" - 1.5Gi will be serialized as \"1536Mi\"\n\nNote that the quantity will NEVER be internally represented by a floating point number. That is the whole point of this exercise.\n\nNon-canonical values will still parse as long as they are well formed, but will be re-emitted in their canonical form. (So always use canonical form, or don't diff.)\n\nThis format is intended to make it difficult to use these numbers without writing some sort of special handling code in the hopes that that will cause implementors to also use a fixed point implementation.","type":"string"},"io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup":{"description":"APIGroup contains the name, the supported versions, and the preferred version of a group.","type":"object","required":["name","versions"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"name is the name of the group.","type":"string"},"preferredVersion":{"description":"preferredVersion is the version preferred by the API server, which probably is the storage version.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersionForDiscovery"},"serverAddressByClientCIDRs":{"description":"a map of client CIDR to server address that is serving this group. This is to help clients reach servers in the most network-efficient way possible. Clients can use the appropriate server address as per the CIDR that they match. In case of multiple matches, clients should use the longest matching CIDR. The server returns only those CIDRs that it thinks that the client can match. For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ServerAddressByClientCIDR"},"x-kubernetes-list-type":"atomic"},"versions":{"description":"versions are the versions supported in this group.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersionForDiscovery"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"APIGroup","version":"v1"}]},"io.k8s.apimachinery.pkg.apis.meta.v1.APIGroupList":{"description":"APIGroupList is a list of APIGroup, to allow clients to discover the API at /apis.","type":"object","required":["groups"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"groups":{"description":"groups is a list of APIGroup.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup"},"x-kubernetes-list-type":"atomic"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"APIGroupList","version":"v1"}]},"io.k8s.apimachinery.pkg.apis.meta.v1.APIResource":{"description":"APIResource specifies the name of a resource and whether it is namespaced.","type":"object","required":["name","singularName","namespaced","kind","verbs"],"properties":{"categories":{"description":"categories is a list of the grouped resources this resource belongs to (e.g. 'all')","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"group":{"description":"group is the preferred group of the resource. Empty implies the group of the containing resource list. For subresources, this may have a different value, for example: Scale\".","type":"string"},"kind":{"description":"kind is the kind for the resource (e.g. 'Foo' is the kind for a resource 'foo')","type":"string"},"name":{"description":"name is the plural name of the resource.","type":"string"},"namespaced":{"description":"namespaced indicates if a resource is namespaced or not.","type":"boolean"},"shortNames":{"description":"shortNames is a list of suggested short names of the resource.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"singularName":{"description":"singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely. The singularName is more correct for reporting status on a single item and both singular and plural are allowed from the kubectl CLI interface.","type":"string"},"storageVersionHash":{"description":"The hash value of the storage version, the version this resource is converted to when written to the data store. Value must be treated as opaque by clients. Only equality comparison on the value is valid. This is an alpha feature and may change or be removed in the future. The field is populated by the apiserver only if the StorageVersionHash feature gate is enabled. This field will remain optional even if it graduates.","type":"string"},"verbs":{"description":"verbs is a list of supported kube verbs (this includes get, list, watch, create, update, patch, delete, deletecollection, and proxy)","type":"array","items":{"type":"string"}},"version":{"description":"version is the preferred version of the resource. Empty implies the version of the containing resource list For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)\".","type":"string"}}},"io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList":{"description":"APIResourceList is a list of APIResource, it is used to expose the name of the resources supported in a specific group and version, and if the resource is namespaced.","type":"object","required":["groupVersion","resources"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"groupVersion":{"description":"groupVersion is the group and version this APIResourceList is for.","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"resources":{"description":"resources contains the name of the resources and if they are namespaced.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResource"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"APIResourceList","version":"v1"}]},"io.k8s.apimachinery.pkg.apis.meta.v1.APIVersions":{"description":"APIVersions lists the versions that are available, to allow clients to discover the API at /api, which is the root path of the legacy v1 API.","type":"object","required":["versions","serverAddressByClientCIDRs"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"serverAddressByClientCIDRs":{"description":"a map of client CIDR to server address that is serving this group. This is to help clients reach servers in the most network-efficient way possible. Clients can use the appropriate server address as per the CIDR that they match. In case of multiple matches, clients should use the longest matching CIDR. The server returns only those CIDRs that it thinks that the client can match. For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ServerAddressByClientCIDR"},"x-kubernetes-list-type":"atomic"},"versions":{"description":"versions are the api versions that are available.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"APIVersions","version":"v1"}]},"io.k8s.apimachinery.pkg.apis.meta.v1.Condition":{"description":"Condition contains details for one aspect of the current state of this API Resource.","type":"object","required":["type","status","lastTransitionTime","reason","message"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"message is a human readable message indicating details about the transition. This may be an empty string.","type":"string"},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.","type":"integer","format":"int64"},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.","type":"string"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","type":"string"}}},"io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions":{"description":"DeleteOptions may be provided when deleting an API object.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"dryRun":{"description":"When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"},"gracePeriodSeconds":{"description":"The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.","type":"integer","format":"int64"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"orphanDependents":{"description":"Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.","type":"boolean"},"preconditions":{"description":"Must be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Preconditions"},"propagationPolicy":{"description":"Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.","type":"string"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"DeleteOptions","version":"v1"},{"group":"admission.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"admission.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"admissionregistration.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"admissionregistration.k8s.io","kind":"DeleteOptions","version":"v1alpha1"},{"group":"admissionregistration.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"apiextensions.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"apiextensions.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"apiregistration.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"apiregistration.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"apps","kind":"DeleteOptions","version":"v1"},{"group":"apps","kind":"DeleteOptions","version":"v1beta1"},{"group":"apps","kind":"DeleteOptions","version":"v1beta2"},{"group":"authentication.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"authentication.k8s.io","kind":"DeleteOptions","version":"v1alpha1"},{"group":"authentication.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"authorization.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"authorization.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"autoscaling","kind":"DeleteOptions","version":"v1"},{"group":"autoscaling","kind":"DeleteOptions","version":"v2"},{"group":"autoscaling","kind":"DeleteOptions","version":"v2beta1"},{"group":"autoscaling","kind":"DeleteOptions","version":"v2beta2"},{"group":"batch","kind":"DeleteOptions","version":"v1"},{"group":"batch","kind":"DeleteOptions","version":"v1beta1"},{"group":"certificates.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"certificates.k8s.io","kind":"DeleteOptions","version":"v1alpha1"},{"group":"certificates.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"coordination.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"coordination.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"discovery.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"discovery.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"events.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"events.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"extensions","kind":"DeleteOptions","version":"v1beta1"},{"group":"flowcontrol.apiserver.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"flowcontrol.apiserver.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"flowcontrol.apiserver.k8s.io","kind":"DeleteOptions","version":"v1beta2"},{"group":"flowcontrol.apiserver.k8s.io","kind":"DeleteOptions","version":"v1beta3"},{"group":"imagepolicy.k8s.io","kind":"DeleteOptions","version":"v1alpha1"},{"group":"internal.apiserver.k8s.io","kind":"DeleteOptions","version":"v1alpha1"},{"group":"networking.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"networking.k8s.io","kind":"DeleteOptions","version":"v1alpha1"},{"group":"networking.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"node.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"node.k8s.io","kind":"DeleteOptions","version":"v1alpha1"},{"group":"node.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"policy","kind":"DeleteOptions","version":"v1"},{"group":"policy","kind":"DeleteOptions","version":"v1beta1"},{"group":"rbac.authorization.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"rbac.authorization.k8s.io","kind":"DeleteOptions","version":"v1alpha1"},{"group":"rbac.authorization.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"resource.k8s.io","kind":"DeleteOptions","version":"v1alpha2"},{"group":"scheduling.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"scheduling.k8s.io","kind":"DeleteOptions","version":"v1alpha1"},{"group":"scheduling.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"storage.k8s.io","kind":"DeleteOptions","version":"v1"},{"group":"storage.k8s.io","kind":"DeleteOptions","version":"v1alpha1"},{"group":"storage.k8s.io","kind":"DeleteOptions","version":"v1beta1"},{"group":"storagemigration.k8s.io","kind":"DeleteOptions","version":"v1alpha1"}]},"io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1":{"description":"FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:', where is the name of a field in a struct, or key in a map 'v:', where is the exact json formatted value of a list item 'i:', where is position of a item in a list 'k:', where is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff","type":"object"},"io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersionForDiscovery":{"description":"GroupVersion contains the \"group/version\" and \"version\" string of a version. It is made a struct to keep extensibility.","type":"object","required":["groupVersion","version"],"properties":{"groupVersion":{"description":"groupVersion specifies the API group and version in the form \"group/version\"","type":"string"},"version":{"description":"version specifies the version in the form of \"version\". This is to save the clients the trouble of splitting the GroupVersion.","type":"string"}}},"io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector":{"description":"A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement"},"x-kubernetes-list-type":"atomic"},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"atomic"}}},"io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta":{"description":"ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.","type":"object","properties":{"continue":{"description":"continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.","type":"string"},"remainingItemCount":{"description":"remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.","type":"integer","format":"int64"},"resourceVersion":{"description":"String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"selfLink":{"description":"Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.","type":"string"}}},"io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry":{"description":"ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.","type":"string"},"fieldsType":{"description":"FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"","type":"string"},"fieldsV1":{"description":"FieldsV1 holds the first JSON version format as described in the \"FieldsV1\" type.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1"},"manager":{"description":"Manager is an identifier of the workflow managing these fields.","type":"string"},"operation":{"description":"Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.","type":"string"},"subresource":{"description":"Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.","type":"string"},"time":{"description":"Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"}}},"io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime":{"description":"MicroTime is version of Time with microsecond level precision.","type":"string","format":"date-time"},"io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta":{"description":"ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.","type":"object","properties":{"annotations":{"description":"Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations","type":"object","additionalProperties":{"type":"string"}},"creationTimestamp":{"description":"CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n\nPopulated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"deletionGracePeriodSeconds":{"description":"Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.","type":"integer","format":"int64"},"deletionTimestamp":{"description":"DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.\n\nPopulated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"finalizers":{"description":"Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.","type":"array","items":{"type":"string"},"x-kubernetes-list-type":"set","x-kubernetes-patch-strategy":"merge"},"generateName":{"description":"GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency","type":"string"},"generation":{"description":"A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.","type":"integer","format":"int64"},"labels":{"description":"Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels","type":"object","additionalProperties":{"type":"string"}},"managedFields":{"description":"ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry"},"x-kubernetes-list-type":"atomic"},"name":{"description":"Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names","type":"string"},"namespace":{"description":"Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces","type":"string"},"ownerReferences":{"description":"List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference"},"x-kubernetes-list-map-keys":["uid"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"uid","x-kubernetes-patch-strategy":"merge"},"resourceVersion":{"description":"An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"selfLink":{"description":"Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.","type":"string"},"uid":{"description":"UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids","type":"string"}}},"io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference":{"description":"OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.","type":"object","required":["apiVersion","kind","name","uid"],"properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"blockOwnerDeletion":{"description":"If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.","type":"boolean"},"controller":{"description":"If true, this reference points to the managing controller.","type":"boolean"},"kind":{"description":"Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names","type":"string"},"uid":{"description":"UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids","type":"string"}},"x-kubernetes-map-type":"atomic"},"io.k8s.apimachinery.pkg.apis.meta.v1.Patch":{"description":"Patch is provided to give a concrete name and type to the Kubernetes PATCH request body.","type":"object"},"io.k8s.apimachinery.pkg.apis.meta.v1.Preconditions":{"description":"Preconditions must be fulfilled before an operation (update, delete, etc.) is carried out.","type":"object","properties":{"resourceVersion":{"description":"Specifies the target ResourceVersion","type":"string"},"uid":{"description":"Specifies the target UID.","type":"string"}}},"io.k8s.apimachinery.pkg.apis.meta.v1.ServerAddressByClientCIDR":{"description":"ServerAddressByClientCIDR helps the client to determine the server address that they should use, depending on the clientCIDR that they match.","type":"object","required":["clientCIDR","serverAddress"],"properties":{"clientCIDR":{"description":"The CIDR with which clients can match their IP to figure out the server address that they should use.","type":"string"},"serverAddress":{"description":"Address of this server, suitable for a client that matches the above CIDR. This can be a hostname, hostname:port, IP or IP:port.","type":"string"}}},"io.k8s.apimachinery.pkg.apis.meta.v1.Status":{"description":"Status is a return value for calls that don't return other objects.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"code":{"description":"Suggested HTTP return code for this status, 0 if not set.","type":"integer","format":"int32"},"details":{"description":"Extended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails","x-kubernetes-list-type":"atomic"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"message":{"description":"A human-readable description of the status of this operation.","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"},"reason":{"description":"A machine-readable description of why this operation is in the \"Failure\" status. If this value is empty there is no information available. A Reason clarifies an HTTP status code but does not override it.","type":"string"},"status":{"description":"Status of the operation. One of: \"Success\" or \"Failure\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status","type":"string"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"Status","version":"v1"},{"group":"resource.k8s.io","kind":"Status","version":"v1alpha2"}]},"io.k8s.apimachinery.pkg.apis.meta.v1.StatusCause":{"description":"StatusCause provides more information about an api.Status failure, including cases when multiple errors are encountered.","type":"object","properties":{"field":{"description":"The field of the resource that has caused this error, as named by its JSON serialization. May include dot and postfix notation for nested attributes. Arrays are zero-indexed. Fields may appear more than once in an array of causes due to fields having multiple errors. Optional.\n\nExamples:\n \"name\" - the field \"name\" on the current resource\n \"items[0].name\" - the field \"name\" on the first array entry in \"items\"","type":"string"},"message":{"description":"A human-readable description of the cause of the error. This field may be presented as-is to a reader.","type":"string"},"reason":{"description":"A machine-readable description of the cause of the error. If this value is empty there is no information available.","type":"string"}}},"io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails":{"description":"StatusDetails is a set of additional properties that MAY be set by the server to provide additional information about a response. The Reason field of a Status object defines what attributes will be set. Clients must ignore fields that do not match the defined type of each attribute, and should assume that any attribute may be empty, invalid, or under defined.","type":"object","properties":{"causes":{"description":"The Causes array includes more details associated with the StatusReason failure. Not all StatusReasons may provide detailed causes.","type":"array","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusCause"},"x-kubernetes-list-type":"atomic"},"group":{"description":"The group attribute of the resource associated with the status StatusReason.","type":"string"},"kind":{"description":"The kind attribute of the resource associated with the status StatusReason. On some operations may differ from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"The name attribute of the resource associated with the status StatusReason (when there is a single name which can be described).","type":"string"},"retryAfterSeconds":{"description":"If specified, the time in seconds before the operation should be retried. Some errors may indicate the client must take an alternate action - for those errors this field may indicate how long to wait before taking the alternate action.","type":"integer","format":"int32"},"uid":{"description":"UID of the resource. (when there is a single resource which can be described). More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids","type":"string"}}},"io.k8s.apimachinery.pkg.apis.meta.v1.Time":{"description":"Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.","type":"string","format":"date-time"},"io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent":{"description":"Event represents a single event to a watched resource.","type":"object","required":["type","object"],"properties":{"object":{"description":"Object is:\n * If Type is Added or Modified: the new state of the object.\n * If Type is Deleted: the state of the object immediately before deletion.\n * If Type is Error: *Status is recommended; other types may make sense\n depending on context.","$ref":"#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension"},"type":{"type":"string"}},"x-kubernetes-group-version-kind":[{"group":"","kind":"WatchEvent","version":"v1"},{"group":"admission.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"admission.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"admissionregistration.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"admissionregistration.k8s.io","kind":"WatchEvent","version":"v1alpha1"},{"group":"admissionregistration.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"apiextensions.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"apiextensions.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"apiregistration.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"apiregistration.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"apps","kind":"WatchEvent","version":"v1"},{"group":"apps","kind":"WatchEvent","version":"v1beta1"},{"group":"apps","kind":"WatchEvent","version":"v1beta2"},{"group":"authentication.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"authentication.k8s.io","kind":"WatchEvent","version":"v1alpha1"},{"group":"authentication.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"authorization.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"authorization.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"autoscaling","kind":"WatchEvent","version":"v1"},{"group":"autoscaling","kind":"WatchEvent","version":"v2"},{"group":"autoscaling","kind":"WatchEvent","version":"v2beta1"},{"group":"autoscaling","kind":"WatchEvent","version":"v2beta2"},{"group":"batch","kind":"WatchEvent","version":"v1"},{"group":"batch","kind":"WatchEvent","version":"v1beta1"},{"group":"certificates.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"certificates.k8s.io","kind":"WatchEvent","version":"v1alpha1"},{"group":"certificates.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"coordination.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"coordination.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"discovery.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"discovery.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"events.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"events.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"extensions","kind":"WatchEvent","version":"v1beta1"},{"group":"flowcontrol.apiserver.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"flowcontrol.apiserver.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"flowcontrol.apiserver.k8s.io","kind":"WatchEvent","version":"v1beta2"},{"group":"flowcontrol.apiserver.k8s.io","kind":"WatchEvent","version":"v1beta3"},{"group":"imagepolicy.k8s.io","kind":"WatchEvent","version":"v1alpha1"},{"group":"internal.apiserver.k8s.io","kind":"WatchEvent","version":"v1alpha1"},{"group":"networking.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"networking.k8s.io","kind":"WatchEvent","version":"v1alpha1"},{"group":"networking.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"node.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"node.k8s.io","kind":"WatchEvent","version":"v1alpha1"},{"group":"node.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"policy","kind":"WatchEvent","version":"v1"},{"group":"policy","kind":"WatchEvent","version":"v1beta1"},{"group":"rbac.authorization.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"rbac.authorization.k8s.io","kind":"WatchEvent","version":"v1alpha1"},{"group":"rbac.authorization.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"resource.k8s.io","kind":"WatchEvent","version":"v1alpha2"},{"group":"scheduling.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"scheduling.k8s.io","kind":"WatchEvent","version":"v1alpha1"},{"group":"scheduling.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"storage.k8s.io","kind":"WatchEvent","version":"v1"},{"group":"storage.k8s.io","kind":"WatchEvent","version":"v1alpha1"},{"group":"storage.k8s.io","kind":"WatchEvent","version":"v1beta1"},{"group":"storagemigration.k8s.io","kind":"WatchEvent","version":"v1alpha1"}]},"io.k8s.apimachinery.pkg.runtime.RawExtension":{"description":"RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)","type":"object"},"io.k8s.apimachinery.pkg.util.intstr.IntOrString":{"description":"IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.","type":"string","format":"int-or-string"},"io.k8s.apimachinery.pkg.version.Info":{"description":"Info contains versioning information. how we'll want to distribute that information.","type":"object","required":["major","minor","gitVersion","gitCommit","gitTreeState","buildDate","goVersion","compiler","platform"],"properties":{"buildDate":{"type":"string"},"compiler":{"type":"string"},"gitCommit":{"type":"string"},"gitTreeState":{"type":"string"},"gitVersion":{"type":"string"},"goVersion":{"type":"string"},"major":{"type":"string"},"minor":{"type":"string"},"platform":{"type":"string"}}},"io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService":{"description":"APIService represents a server for a particular GroupVersion. Name must be \"version.group\".","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec contains information for locating and communicating with a server","$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceSpec"},"status":{"description":"Status contains derived information about an API server","$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceStatus"}},"x-kubernetes-group-version-kind":[{"group":"apiregistration.k8s.io","kind":"APIService","version":"v1"}]},"io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceCondition":{"description":"APIServiceCondition describes the state of an APIService at a particular point","type":"object","required":["type","status"],"properties":{"lastTransitionTime":{"description":"Last time the condition transitioned from one status to another.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"message":{"description":"Human-readable message indicating details about last transition.","type":"string"},"reason":{"description":"Unique, one-word, CamelCase reason for the condition's last transition.","type":"string"},"status":{"description":"Status is the status of the condition. Can be True, False, Unknown.","type":"string"},"type":{"description":"Type is the type of the condition.","type":"string"}}},"io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceList":{"description":"APIServiceList is a list of APIService objects.","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of APIService","type":"array","items":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"apiregistration.k8s.io","kind":"APIServiceList","version":"v1"}]},"io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceSpec":{"description":"APIServiceSpec contains information for locating and communicating with a server. Only https is supported, though you are able to disable certificate verification.","type":"object","required":["groupPriorityMinimum","versionPriority"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. If unspecified, system trust roots on the apiserver are used.","type":"string","format":"byte","x-kubernetes-list-type":"atomic"},"group":{"description":"Group is the API group name this server hosts","type":"string"},"groupPriorityMinimum":{"description":"GroupPriorityMinimum is the priority this group should have at least. Higher priority means that the group is preferred by clients over lower priority ones. Note that other versions of this group might specify even higher GroupPriorityMinimum values such that the whole group gets a higher priority. The primary sort is based on GroupPriorityMinimum, ordered highest number to lowest (20 before 10). The secondary sort is based on the alphabetical comparison of the name of the object. (v1.bar before v1.foo) We'd recommend something like: *.k8s.io (except extensions) at 18000 and PaaSes (OpenShift, Deis) are recommended to be in the 2000s","type":"integer","format":"int32"},"insecureSkipTLSVerify":{"description":"InsecureSkipTLSVerify disables TLS certificate verification when communicating with this server. This is strongly discouraged. You should use the CABundle instead.","type":"boolean"},"service":{"description":"Service is a reference to the service for this API server. It must communicate on port 443. If the Service is nil, that means the handling for the API groupversion is handled locally on this server. The call will simply delegate to the normal handler chain to be fulfilled.","$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.ServiceReference"},"version":{"description":"Version is the API version this server hosts. For example, \"v1\"","type":"string"},"versionPriority":{"description":"VersionPriority controls the ordering of this API version inside of its group. Must be greater than zero. The primary sort is based on VersionPriority, ordered highest to lowest (20 before 10). Since it's inside of a group, the number can be small, probably in the 10s. In case of equal version priorities, the version string will be used to compute the order inside a group. If the version string is \"kube-like\", it will sort above non \"kube-like\" version strings, which are ordered lexicographically. \"Kube-like\" versions start with a \"v\", then are followed by a number (the major version), then optionally the string \"alpha\" or \"beta\" and another number (the minor version). These are sorted first by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing major version, then minor version. An example sorted list of versions: v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.","type":"integer","format":"int32"}}},"io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceStatus":{"description":"APIServiceStatus contains derived information about an API server","type":"object","properties":{"conditions":{"description":"Current service state of apiService.","type":"array","items":{"$ref":"#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceCondition"},"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"}}},"io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.ServiceReference":{"description":"ServiceReference holds a reference to Service.legacy.k8s.io","type":"object","properties":{"name":{"description":"Name is the name of the service","type":"string"},"namespace":{"description":"Namespace is the namespace of the service","type":"string"},"port":{"description":"If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).","type":"integer","format":"int32"}}},"io.kyverno.reports.v1.ClusterEphemeralReport":{"description":"ClusterEphemeralReport is the Schema for the ClusterEphemeralReports API","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["owner"],"properties":{"owner":{"description":"Owner is a reference to the report owner (e.g. a Deployment, Namespace, or Node)","type":"object","required":["apiVersion","kind","name","uid"],"properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"blockOwnerDeletion":{"description":"If true, AND if the owner has the \"foregroundDeletion\" finalizer, then\nthe owner cannot be deleted from the key-value store until this\nreference is removed.\nSee https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion\nfor how the garbage collector interacts with this field and enforces the foreground deletion.\nDefaults to false.\nTo set this field, a user needs \"delete\" permission of the owner,\notherwise 422 (Unprocessable Entity) will be returned.","type":"boolean"},"controller":{"description":"If true, this reference points to the managing controller.","type":"boolean"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids","type":"string"}},"x-kubernetes-map-type":"atomic"},"results":{"description":"PolicyReportResult provides result details","type":"array","items":{"description":"PolicyReportResult provides the result for an individual policy","type":"object","required":["policy"],"properties":{"category":{"description":"Category indicates policy category","type":"string"},"message":{"description":"Description is a short user friendly message for the policy rule","type":"string"},"policy":{"description":"Policy is the name or identifier of the policy","type":"string"},"properties":{"description":"Properties provides additional information for the policy rule","type":"object","additionalProperties":{"type":"string"}},"resourceSelector":{"description":"SubjectSelector is an optional label selector for checked Kubernetes resources.\nFor example, a policy result may apply to all pods that match a label.\nEither a Subject or a SubjectSelector can be specified.\nIf neither are provided, the result is assumed to be for the policy report scope.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resources":{"description":"Subjects is an optional reference to the checked Kubernetes resources","type":"array","items":{"description":"ObjectReference contains enough information to let you inspect or modify the referred object.\n---\nNew uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.\n 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.\n 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular\n restrictions like, \"must refer only to types A and B\" or \"UID not honored\" or \"name must be restricted\".\n Those cannot be well described when embedded.\n 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.\n 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity\n during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple\n and the version of the actual struct is irrelevant.\n 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type\n will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.\n\n\nInstead of using this type, create a locally provided and used type that is well-focused on your reference.\nFor example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.\nTODO: this design is not final and this field is subject to change in the future.","type":"string"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"}},"result":{"description":"Result indicates the outcome of the policy rule execution","type":"string","enum":["pass","fail","warn","error","skip"]},"rule":{"description":"Rule is the name or identifier of the rule within the policy","type":"string"},"scored":{"description":"Scored indicates if this result is scored","type":"boolean"},"severity":{"description":"Severity indicates policy check result criticality","type":"string","enum":["critical","high","low","medium","info"]},"source":{"description":"Source is an identifier for the policy engine that manages this report","type":"string"},"timestamp":{"description":"Timestamp indicates the time the result was found","type":"object","required":["nanos","seconds"],"properties":{"nanos":{"description":"Non-negative fractions of a second at nanosecond resolution. Negative\nsecond values with fractions must still have non-negative nanos values\nthat count forward in time. Must be from 0 to 999,999,999\ninclusive. This field may be limited in precision depending on context.","type":"integer","format":"int32"},"seconds":{"description":"Represents seconds of UTC time since Unix epoch\n1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to\n9999-12-31T23:59:59Z inclusive.","type":"integer","format":"int64"}}}}}},"summary":{"description":"PolicyReportSummary provides a summary of results","type":"object","properties":{"error":{"description":"Error provides the count of policies that could not be evaluated","type":"integer"},"fail":{"description":"Fail provides the count of policies whose requirements were not met","type":"integer"},"pass":{"description":"Pass provides the count of policies whose requirements were met","type":"integer"},"skip":{"description":"Skip indicates the count of policies that were not selected for evaluation","type":"integer"},"warn":{"description":"Warn provides the count of non-scored policies whose requirements were not met","type":"integer"}}}}}},"x-kubernetes-group-version-kind":[{"group":"reports.kyverno.io","kind":"ClusterEphemeralReport","version":"v1"}]},"io.kyverno.reports.v1.ClusterEphemeralReportList":{"description":"ClusterEphemeralReportList is a list of ClusterEphemeralReport","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clusterephemeralreports. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.reports.v1.ClusterEphemeralReport"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"reports.kyverno.io","kind":"ClusterEphemeralReportList","version":"v1"}]},"io.kyverno.reports.v1.EphemeralReport":{"description":"EphemeralReport is the Schema for the EphemeralReports API","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["owner"],"properties":{"owner":{"description":"Owner is a reference to the report owner (e.g. a Deployment, Namespace, or Node)","type":"object","required":["apiVersion","kind","name","uid"],"properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"blockOwnerDeletion":{"description":"If true, AND if the owner has the \"foregroundDeletion\" finalizer, then\nthe owner cannot be deleted from the key-value store until this\nreference is removed.\nSee https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion\nfor how the garbage collector interacts with this field and enforces the foreground deletion.\nDefaults to false.\nTo set this field, a user needs \"delete\" permission of the owner,\notherwise 422 (Unprocessable Entity) will be returned.","type":"boolean"},"controller":{"description":"If true, this reference points to the managing controller.","type":"boolean"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids","type":"string"}},"x-kubernetes-map-type":"atomic"},"results":{"description":"PolicyReportResult provides result details","type":"array","items":{"description":"PolicyReportResult provides the result for an individual policy","type":"object","required":["policy"],"properties":{"category":{"description":"Category indicates policy category","type":"string"},"message":{"description":"Description is a short user friendly message for the policy rule","type":"string"},"policy":{"description":"Policy is the name or identifier of the policy","type":"string"},"properties":{"description":"Properties provides additional information for the policy rule","type":"object","additionalProperties":{"type":"string"}},"resourceSelector":{"description":"SubjectSelector is an optional label selector for checked Kubernetes resources.\nFor example, a policy result may apply to all pods that match a label.\nEither a Subject or a SubjectSelector can be specified.\nIf neither are provided, the result is assumed to be for the policy report scope.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resources":{"description":"Subjects is an optional reference to the checked Kubernetes resources","type":"array","items":{"description":"ObjectReference contains enough information to let you inspect or modify the referred object.\n---\nNew uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.\n 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.\n 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular\n restrictions like, \"must refer only to types A and B\" or \"UID not honored\" or \"name must be restricted\".\n Those cannot be well described when embedded.\n 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.\n 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity\n during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple\n and the version of the actual struct is irrelevant.\n 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type\n will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.\n\n\nInstead of using this type, create a locally provided and used type that is well-focused on your reference.\nFor example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.\nTODO: this design is not final and this field is subject to change in the future.","type":"string"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"}},"result":{"description":"Result indicates the outcome of the policy rule execution","type":"string","enum":["pass","fail","warn","error","skip"]},"rule":{"description":"Rule is the name or identifier of the rule within the policy","type":"string"},"scored":{"description":"Scored indicates if this result is scored","type":"boolean"},"severity":{"description":"Severity indicates policy check result criticality","type":"string","enum":["critical","high","low","medium","info"]},"source":{"description":"Source is an identifier for the policy engine that manages this report","type":"string"},"timestamp":{"description":"Timestamp indicates the time the result was found","type":"object","required":["nanos","seconds"],"properties":{"nanos":{"description":"Non-negative fractions of a second at nanosecond resolution. Negative\nsecond values with fractions must still have non-negative nanos values\nthat count forward in time. Must be from 0 to 999,999,999\ninclusive. This field may be limited in precision depending on context.","type":"integer","format":"int32"},"seconds":{"description":"Represents seconds of UTC time since Unix epoch\n1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to\n9999-12-31T23:59:59Z inclusive.","type":"integer","format":"int64"}}}}}},"summary":{"description":"PolicyReportSummary provides a summary of results","type":"object","properties":{"error":{"description":"Error provides the count of policies that could not be evaluated","type":"integer"},"fail":{"description":"Fail provides the count of policies whose requirements were not met","type":"integer"},"pass":{"description":"Pass provides the count of policies whose requirements were met","type":"integer"},"skip":{"description":"Skip indicates the count of policies that were not selected for evaluation","type":"integer"},"warn":{"description":"Warn provides the count of non-scored policies whose requirements were not met","type":"integer"}}}}}},"x-kubernetes-group-version-kind":[{"group":"reports.kyverno.io","kind":"EphemeralReport","version":"v1"}]},"io.kyverno.reports.v1.EphemeralReportList":{"description":"EphemeralReportList is a list of EphemeralReport","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of ephemeralreports. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.reports.v1.EphemeralReport"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"reports.kyverno.io","kind":"EphemeralReportList","version":"v1"}]},"io.kyverno.v1.ClusterPolicy":{"description":"ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy behaviors.","type":"object","properties":{"admission":{"description":"Admission controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"},"applyRules":{"description":"ApplyRules controls how rules in a policy are applied. Rule are processed in\nthe order of declaration. When set to `One` processing stops after a rule has\nbeen applied i.e. the rule matches and results in a pass, fail, or error. When\nset to `All` all rules in the policy are processed. The default is `All`.","type":"string","enum":["All","One"]},"background":{"description":"Background controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"},"failurePolicy":{"description":"FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.\nRules within the same policy share the same failure behavior.\nThis field should not be accessed directly, instead `GetFailurePolicy()` should be used.\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"generateExisting":{"description":"GenerateExisting controls whether to trigger generate rule in existing resources\nIf is set to \"true\" generate rule will be triggered and applied to existing matched resources.\nDefaults to \"false\" if not specified.","type":"boolean"},"generateExistingOnPolicyUpdate":{"description":"Deprecated, use generateExisting instead","type":"boolean"},"mutateExistingOnPolicyUpdate":{"description":"MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.\nDefault value is \"false\".","type":"boolean"},"rules":{"description":"Rules is a list of Rule instances. A Policy contains multiple rules and\neach rule can validate, mutate, or generate resources.","type":"array","items":{"description":"Rule defines a validation, mutation, or generation control for matching resources.\nEach rules contains a match declaration to select resources, and an optional exclude\ndeclaration to specify which resources to exclude.","type":"object","required":["name"],"properties":{"celPreconditions":{"description":"CELPreconditions are used to determine if a policy rule should be applied by evaluating a\nset of CEL conditions. It can only be used with the validate.cel subrule","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\n\nRequired.","type":"string"}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exclude":{"description":"ExcludeResources defines when this policy rule should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"generate":{"description":"Generation is used to create new resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nSee https://kyverno.io/docs/writing-policies/generate/#data-examples.\nDefaults to \"false\" if not specified.","type":"boolean"},"synchronize":{"description":"Synchronize controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}},"imageExtractors":{"description":"ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.\nThis config is only valid for verifyImages rules.","type":"object","additionalProperties":{"type":"array","items":{"type":"object","required":["path"],"properties":{"jmesPath":{"description":"JMESPath is an optional JMESPath expression to apply to the image value.\nThis is useful when the extracted image begins with a prefix like 'docker://'.\nThe 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').\nNote - Image digest mutation may not be used when applying a JMESPAth to an image.","type":"string"},"key":{"description":"Key is an optional name of the field within 'path' that will be used to uniquely identify an image.\nNote - this field MUST be unique.","type":"string"},"name":{"description":"Name is the entry the image will be available under 'images.' in the context.\nIf this field is not defined, image entries will appear under 'images.custom'.","type":"string"},"path":{"description":"Path is the path to the object containing the image field in a custom resource.\nIt should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.\nWildcard keys are expanded in case of arrays or objects.","type":"string"},"value":{"description":"Value is an optional name of the field within 'path' that points to the image URI.\nThis is useful when a custom 'key' is also defined.","type":"string"}}}}},"match":{"description":"MatchResources defines when this policy rule should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"mutate":{"description":"Mutation is used to modify matching resources.","type":"object","properties":{"foreach":{"description":"ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"order":{"description":"Order defines the iteration order on the list.\nCan be Ascending to iterate from first to last element or Descending to iterate in from last to first element.","type":"string","enum":["Ascending","Descending"]},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.","type":"string"},"targets":{"description":"Targets defines the target resources to be mutated.","type":"array","items":{"description":"TargetResourceSpec defines targets for mutating existing resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}}}},"name":{"description":"Name is a label to identify the rule, It must be unique within the policy.","type":"string","maxLength":63},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"skipBackgroundRequests":{"description":"SkipBackgroundRequests bypasses admission requests that are sent by the background controller.\nThe default value is set to \"true\", it must be set to \"false\" to apply\ngenerate and mutateExisting rules to those requests.","type":"boolean"},"validate":{"description":"Validation is used to validate matching resources.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"cel":{"description":"CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).","type":"object","properties":{"auditAnnotations":{"description":"AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\n\nRequired.","type":"string"}}}},"expressions":{"description":"Expressions is a list of CELExpression types.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}}},"paramKind":{"description":"ParamKind is a tuple of Group Kind and Version.","type":"object","properties":{"apiVersion":{"description":"APIVersion is the API group version the resources belong to.\nIn format of \"group/version\".\nRequired.","type":"string"},"kind":{"description":"Kind is the API kind the resources belong to.\nRequired.","type":"string"}},"x-kubernetes-map-type":"atomic"},"paramRef":{"description":"ParamRef references a parameter resource.","type":"object","properties":{"name":{"description":"`name` is the name of the resource being referenced.\n\n\n`name` and `selector` are mutually exclusive properties. If one is set,\nthe other must be unset.","type":"string"},"namespace":{"description":"namespace is the namespace of the referenced resource. Allows limiting\nthe search for params to a specific namespace. Applies to both `name` and\n`selector` fields.\n\n\nA per-namespace parameter may be used by specifying a namespace-scoped\n`paramKind` in the policy and leaving this field empty.\n\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this\nfield results in a configuration error.\n\n\n- If `paramKind` is namespace-scoped, the namespace of the object being\nevaluated for admission will be used when this field is left unset. Take\ncare that if this is left empty the binding must not match any cluster-scoped\nresources, which will result in an error.","type":"string"},"parameterNotFoundAction":{"description":"`parameterNotFoundAction` controls the behavior of the binding when the resource\nexists, and name or selector is valid, but there are no parameters\nmatched by the binding. If the value is set to `Allow`, then no\nmatched parameters will be treated as successful validation by the binding.\nIf set to `Deny`, then no matched parameters will be subject to the\n`failurePolicy` of the policy.\n\n\nAllowed values are `Allow` or `Deny`\nDefault to `Deny`","type":"string"},"selector":{"description":"selector can be used to match multiple param objects based on their labels.\nSupply selector: {} to match all resources of the ParamKind.\n\n\nIf multiple params are found, they are all evaluated with the policy expressions\nand the results are ANDed together.\n\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"foreach":{"description":"ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"elementScope":{"description":"ElementScope specifies whether to use the current list element as the scope for validation. Defaults to \"true\" if not specified.\nWhen set to \"false\", \"request.object\" is used as the validation scope within the foreach\nblock to allow referencing other elements in the subtree.","type":"boolean"},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"manifests":{"description":"Manifest specifies conditions for manifest verification","type":"object","properties":{"annotationDomain":{"description":"AnnotationDomain is custom domain of annotation for message and signature. Default is \"cosign.sigstore.dev\".","type":"string"},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"dryRun":{"description":"DryRun configuration","type":"object","properties":{"enable":{"type":"boolean"},"namespace":{"type":"string"}}},"ignoreFields":{"description":"Fields which will be ignored while comparing manifests.","type":"array","items":{"type":"object","properties":{"fields":{"type":"array","items":{"type":"string"}},"objects":{"type":"array","items":{"type":"object","properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for resource bundle reference.\nThe repository can be overridden per Attestor or Attestation.","type":"string"}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"podSecurity":{"description":"PodSecurity applies exemptions for Kubernetes Pod Security admission\nby specifying exclusions for Pod Security Standards controls.","type":"object","properties":{"exclude":{"description":"Exclude specifies the Pod Security Standard controls to be excluded.","type":"array","items":{"description":"PodSecurityStandard specifies the Pod Security Standard controls to be excluded.","type":"object","required":["controlName"],"properties":{"controlName":{"description":"ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/","type":"string","enum":["HostProcess","Host Namespaces","Privileged Containers","Capabilities","HostPath Volumes","Host Ports","AppArmor","SELinux","/proc Mount Type","Seccomp","Sysctls","Volume Types","Privilege Escalation","Running as Non-root","Running as Non-root user"]},"images":{"description":"Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"restrictedField":{"description":"RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.","type":"string"},"values":{"description":"Values defines the allowed values that can be excluded.","type":"array","items":{"type":"string"}}}}},"level":{"description":"Level defines the Pod Security Standard level to be applied to workloads.\nAllowed values are privileged, baseline, and restricted.","type":"string","enum":["privileged","baseline","restricted"]},"version":{"description":"Version defines the Pod Security Standard versions that Kubernetes supports.\nAllowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.","type":"string","enum":["v1.19","v1.20","v1.21","v1.22","v1.23","v1.24","v1.25","v1.26","v1.27","v1.28","v1.29","latest"]}}}}},"verifyImages":{"description":"VerifyImages is used to verify image signatures and mutate them to add a digest","type":"array","items":{"description":"ImageVerification validates that images that match the specified pattern\nare signed with the supplied public key. Once the image is verified it is\nmutated to include the SHA digest retrieved during the registration.","type":"object","properties":{"additionalExtensions":{"description":"Deprecated.","type":"object","additionalProperties":{"type":"string"}},"annotations":{"description":"Deprecated. Use annotations per Attestor instead.","type":"object","additionalProperties":{"type":"string"}},"attestations":{"description":"Attestations are optional checks for signed in-toto Statements used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statement declarations.","type":"array","items":{"description":"Attestation are checks for signed in-toto Statements that are used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statements.","type":"object","properties":{"attestors":{"description":"Attestors specify the required attestors (i.e. authorities).","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"conditions":{"description":"Conditions are used to verify attributes within a Predicate. If no Conditions are specified\nthe attestation check is satisfied as long there are predicates that match the predicate type.","type":"array","items":{"description":"AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.\nAnyConditions get fulfilled when at least one of its sub-conditions passes.\nAllConditions get fulfilled only when all of its sub-conditions pass.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}}},"predicateType":{"description":"Deprecated in favour of 'Type', to be removed soon","type":"string"},"type":{"description":"Type defines the type of attestation contained within the Statement.","type":"string"}}}},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"image":{"description":"Deprecated. Use ImageReferences instead.","type":"string"},"imageReferences":{"description":"ImageReferences is a list of matching image reference patterns. At least one pattern in the\nlist must match the image for the rule to apply. Each image reference consists of a registry\naddress (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"issuer":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"key":{"description":"Deprecated. Use StaticKeyAttestor instead.","type":"string"},"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"repository":{"description":"Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.\nIf specified Repository will override the default OCI image repository configured for the installation.\nThe repository can also be overridden per Attestor or Attestation.","type":"string"},"required":{"description":"Required validates that images are verified i.e. have matched passed a signature or attestation check.","type":"boolean"},"roots":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"skipImageReferences":{"description":"SkipImageReferences is a list of matching image reference patterns that should be skipped.\nAt least one pattern in the list must match the image for the rule to be skipped. Each image reference\nconsists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"subject":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"type":{"description":"Type specifies the method of signature validation. The allowed options\nare Cosign and Notary. By default Cosign is used if a type is not specified.","type":"string","enum":["Cosign","Notary"]},"useCache":{"description":"UseCache enables caching of image verify responses for this rule.","type":"boolean"},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}}}}}},"schemaValidation":{"description":"Deprecated.","type":"boolean"},"useServerSideApply":{"description":"UseServerSideApply controls whether to use server-side apply for generate rules\nIf is set to \"true\" create & update for generate rules will use apply instead of create/update.\nDefaults to \"false\" if not specified.","type":"boolean"},"validationFailureAction":{"description":"ValidationFailureAction defines if a validation policy rule violation should block\nthe admission review request (enforce), or allow (audit) the admission review request\nand report an error in a policy report. Optional.\nAllowed values are audit or enforce. The default value is \"Audit\".","type":"string","enum":["audit","enforce","Audit","Enforce"]},"validationFailureActionOverrides":{"description":"ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction\nnamespace-wise. It overrides ValidationFailureAction for the specified namespaces.","type":"array","items":{"type":"object","properties":{"action":{"description":"ValidationFailureAction defines the policy validation failure action","type":"string","enum":["audit","enforce","Audit","Enforce"]},"namespaceSelector":{"description":"A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"}}}}},"webhookConfiguration":{"description":"WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.\nRequires Kubernetes 1.27 or later.","type":"object","properties":{"matchConditions":{"description":"MatchCondition configures admission webhook matchConditions.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\n\nRequired.","type":"string"}}}}}},"webhookTimeoutSeconds":{"description":"WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}},"status":{"description":"Status contains policy runtime data.","type":"object","required":["ready"],"properties":{"autogen":{"description":"AutogenStatus contains autogen status information.","type":"object","properties":{"rules":{"description":"Rules is a list of Rule instances. It contains auto generated rules added for pod controllers","type":"array","items":{"description":"Rule defines a validation, mutation, or generation control for matching resources.\nEach rules contains a match declaration to select resources, and an optional exclude\ndeclaration to specify which resources to exclude.","type":"object","required":["name"],"properties":{"celPreconditions":{"description":"CELPreconditions are used to determine if a policy rule should be applied by evaluating a\nset of CEL conditions. It can only be used with the validate.cel subrule","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\n\nRequired.","type":"string"}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exclude":{"description":"ExcludeResources defines when this policy rule should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"generate":{"description":"Generation is used to create new resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nSee https://kyverno.io/docs/writing-policies/generate/#data-examples.\nDefaults to \"false\" if not specified.","type":"boolean"},"synchronize":{"description":"Synchronize controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}},"imageExtractors":{"description":"ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.\nThis config is only valid for verifyImages rules.","type":"object","additionalProperties":{"type":"array","items":{"type":"object","required":["path"],"properties":{"jmesPath":{"description":"JMESPath is an optional JMESPath expression to apply to the image value.\nThis is useful when the extracted image begins with a prefix like 'docker://'.\nThe 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').\nNote - Image digest mutation may not be used when applying a JMESPAth to an image.","type":"string"},"key":{"description":"Key is an optional name of the field within 'path' that will be used to uniquely identify an image.\nNote - this field MUST be unique.","type":"string"},"name":{"description":"Name is the entry the image will be available under 'images.' in the context.\nIf this field is not defined, image entries will appear under 'images.custom'.","type":"string"},"path":{"description":"Path is the path to the object containing the image field in a custom resource.\nIt should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.\nWildcard keys are expanded in case of arrays or objects.","type":"string"},"value":{"description":"Value is an optional name of the field within 'path' that points to the image URI.\nThis is useful when a custom 'key' is also defined.","type":"string"}}}}},"match":{"description":"MatchResources defines when this policy rule should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"mutate":{"description":"Mutation is used to modify matching resources.","type":"object","properties":{"foreach":{"description":"ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"order":{"description":"Order defines the iteration order on the list.\nCan be Ascending to iterate from first to last element or Descending to iterate in from last to first element.","type":"string","enum":["Ascending","Descending"]},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.","type":"string"},"targets":{"description":"Targets defines the target resources to be mutated.","type":"array","items":{"description":"TargetResourceSpec defines targets for mutating existing resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}}}},"name":{"description":"Name is a label to identify the rule, It must be unique within the policy.","type":"string","maxLength":63},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"skipBackgroundRequests":{"description":"SkipBackgroundRequests bypasses admission requests that are sent by the background controller.\nThe default value is set to \"true\", it must be set to \"false\" to apply\ngenerate and mutateExisting rules to those requests.","type":"boolean"},"validate":{"description":"Validation is used to validate matching resources.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"cel":{"description":"CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).","type":"object","properties":{"auditAnnotations":{"description":"AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\n\nRequired.","type":"string"}}}},"expressions":{"description":"Expressions is a list of CELExpression types.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}}},"paramKind":{"description":"ParamKind is a tuple of Group Kind and Version.","type":"object","properties":{"apiVersion":{"description":"APIVersion is the API group version the resources belong to.\nIn format of \"group/version\".\nRequired.","type":"string"},"kind":{"description":"Kind is the API kind the resources belong to.\nRequired.","type":"string"}},"x-kubernetes-map-type":"atomic"},"paramRef":{"description":"ParamRef references a parameter resource.","type":"object","properties":{"name":{"description":"`name` is the name of the resource being referenced.\n\n\n`name` and `selector` are mutually exclusive properties. If one is set,\nthe other must be unset.","type":"string"},"namespace":{"description":"namespace is the namespace of the referenced resource. Allows limiting\nthe search for params to a specific namespace. Applies to both `name` and\n`selector` fields.\n\n\nA per-namespace parameter may be used by specifying a namespace-scoped\n`paramKind` in the policy and leaving this field empty.\n\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this\nfield results in a configuration error.\n\n\n- If `paramKind` is namespace-scoped, the namespace of the object being\nevaluated for admission will be used when this field is left unset. Take\ncare that if this is left empty the binding must not match any cluster-scoped\nresources, which will result in an error.","type":"string"},"parameterNotFoundAction":{"description":"`parameterNotFoundAction` controls the behavior of the binding when the resource\nexists, and name or selector is valid, but there are no parameters\nmatched by the binding. If the value is set to `Allow`, then no\nmatched parameters will be treated as successful validation by the binding.\nIf set to `Deny`, then no matched parameters will be subject to the\n`failurePolicy` of the policy.\n\n\nAllowed values are `Allow` or `Deny`\nDefault to `Deny`","type":"string"},"selector":{"description":"selector can be used to match multiple param objects based on their labels.\nSupply selector: {} to match all resources of the ParamKind.\n\n\nIf multiple params are found, they are all evaluated with the policy expressions\nand the results are ANDed together.\n\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"foreach":{"description":"ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"elementScope":{"description":"ElementScope specifies whether to use the current list element as the scope for validation. Defaults to \"true\" if not specified.\nWhen set to \"false\", \"request.object\" is used as the validation scope within the foreach\nblock to allow referencing other elements in the subtree.","type":"boolean"},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"manifests":{"description":"Manifest specifies conditions for manifest verification","type":"object","properties":{"annotationDomain":{"description":"AnnotationDomain is custom domain of annotation for message and signature. Default is \"cosign.sigstore.dev\".","type":"string"},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"dryRun":{"description":"DryRun configuration","type":"object","properties":{"enable":{"type":"boolean"},"namespace":{"type":"string"}}},"ignoreFields":{"description":"Fields which will be ignored while comparing manifests.","type":"array","items":{"type":"object","properties":{"fields":{"type":"array","items":{"type":"string"}},"objects":{"type":"array","items":{"type":"object","properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for resource bundle reference.\nThe repository can be overridden per Attestor or Attestation.","type":"string"}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"podSecurity":{"description":"PodSecurity applies exemptions for Kubernetes Pod Security admission\nby specifying exclusions for Pod Security Standards controls.","type":"object","properties":{"exclude":{"description":"Exclude specifies the Pod Security Standard controls to be excluded.","type":"array","items":{"description":"PodSecurityStandard specifies the Pod Security Standard controls to be excluded.","type":"object","required":["controlName"],"properties":{"controlName":{"description":"ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/","type":"string","enum":["HostProcess","Host Namespaces","Privileged Containers","Capabilities","HostPath Volumes","Host Ports","AppArmor","SELinux","/proc Mount Type","Seccomp","Sysctls","Volume Types","Privilege Escalation","Running as Non-root","Running as Non-root user"]},"images":{"description":"Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"restrictedField":{"description":"RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.","type":"string"},"values":{"description":"Values defines the allowed values that can be excluded.","type":"array","items":{"type":"string"}}}}},"level":{"description":"Level defines the Pod Security Standard level to be applied to workloads.\nAllowed values are privileged, baseline, and restricted.","type":"string","enum":["privileged","baseline","restricted"]},"version":{"description":"Version defines the Pod Security Standard versions that Kubernetes supports.\nAllowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.","type":"string","enum":["v1.19","v1.20","v1.21","v1.22","v1.23","v1.24","v1.25","v1.26","v1.27","v1.28","v1.29","latest"]}}}}},"verifyImages":{"description":"VerifyImages is used to verify image signatures and mutate them to add a digest","type":"array","items":{"description":"ImageVerification validates that images that match the specified pattern\nare signed with the supplied public key. Once the image is verified it is\nmutated to include the SHA digest retrieved during the registration.","type":"object","properties":{"additionalExtensions":{"description":"Deprecated.","type":"object","additionalProperties":{"type":"string"}},"annotations":{"description":"Deprecated. Use annotations per Attestor instead.","type":"object","additionalProperties":{"type":"string"}},"attestations":{"description":"Attestations are optional checks for signed in-toto Statements used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statement declarations.","type":"array","items":{"description":"Attestation are checks for signed in-toto Statements that are used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statements.","type":"object","properties":{"attestors":{"description":"Attestors specify the required attestors (i.e. authorities).","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"conditions":{"description":"Conditions are used to verify attributes within a Predicate. If no Conditions are specified\nthe attestation check is satisfied as long there are predicates that match the predicate type.","type":"array","items":{"description":"AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.\nAnyConditions get fulfilled when at least one of its sub-conditions passes.\nAllConditions get fulfilled only when all of its sub-conditions pass.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}}},"predicateType":{"description":"Deprecated in favour of 'Type', to be removed soon","type":"string"},"type":{"description":"Type defines the type of attestation contained within the Statement.","type":"string"}}}},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"image":{"description":"Deprecated. Use ImageReferences instead.","type":"string"},"imageReferences":{"description":"ImageReferences is a list of matching image reference patterns. At least one pattern in the\nlist must match the image for the rule to apply. Each image reference consists of a registry\naddress (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"issuer":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"key":{"description":"Deprecated. Use StaticKeyAttestor instead.","type":"string"},"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"repository":{"description":"Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.\nIf specified Repository will override the default OCI image repository configured for the installation.\nThe repository can also be overridden per Attestor or Attestation.","type":"string"},"required":{"description":"Required validates that images are verified i.e. have matched passed a signature or attestation check.","type":"boolean"},"roots":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"skipImageReferences":{"description":"SkipImageReferences is a list of matching image reference patterns that should be skipped.\nAt least one pattern in the list must match the image for the rule to be skipped. Each image reference\nconsists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"subject":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"type":{"description":"Type specifies the method of signature validation. The allowed options\nare Cosign and Notary. By default Cosign is used if a type is not specified.","type":"string","enum":["Cosign","Notary"]},"useCache":{"description":"UseCache enables caching of image verify responses for this rule.","type":"boolean"},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}}}}}}}},"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"ready":{"description":"Deprecated in favor of Conditions","type":"boolean"},"rulecount":{"description":"RuleCountStatus contains four variables which describes counts for\nvalidate, generate, mutate and verify images rules","type":"object","required":["generate","mutate","validate","verifyimages"],"properties":{"generate":{"description":"Count for generate rules in policy","type":"integer"},"mutate":{"description":"Count for mutate rules in policy","type":"integer"},"validate":{"description":"Count for validate rules in policy","type":"integer"},"verifyimages":{"description":"Count for verify image rules in policy","type":"integer"}}},"validatingadmissionpolicy":{"description":"ValidatingAdmissionPolicy contains status information","type":"object","required":["generated","message"],"properties":{"generated":{"description":"Generated indicates whether a validating admission policy is generated from the policy or not","type":"boolean"},"message":{"description":"Message is a human readable message indicating details about the generation of validating admission policy\nIt is an empty string when validating admission policy is successfully generated.","type":"string"}}}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterPolicy","version":"v1"}]},"io.kyverno.v1.ClusterPolicyList":{"description":"ClusterPolicyList is a list of ClusterPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clusterpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v1.ClusterPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterPolicyList","version":"v1"}]},"io.kyverno.v1.Policy":{"description":"Policy declares validation, mutation, and generation behaviors for matching resources.\nSee: https://kyverno.io/docs/writing-policies/ for more information.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines policy behaviors and contains one or more rules.","type":"object","properties":{"admission":{"description":"Admission controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"},"applyRules":{"description":"ApplyRules controls how rules in a policy are applied. Rule are processed in\nthe order of declaration. When set to `One` processing stops after a rule has\nbeen applied i.e. the rule matches and results in a pass, fail, or error. When\nset to `All` all rules in the policy are processed. The default is `All`.","type":"string","enum":["All","One"]},"background":{"description":"Background controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"},"failurePolicy":{"description":"FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.\nRules within the same policy share the same failure behavior.\nThis field should not be accessed directly, instead `GetFailurePolicy()` should be used.\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"generateExisting":{"description":"GenerateExisting controls whether to trigger generate rule in existing resources\nIf is set to \"true\" generate rule will be triggered and applied to existing matched resources.\nDefaults to \"false\" if not specified.","type":"boolean"},"generateExistingOnPolicyUpdate":{"description":"Deprecated, use generateExisting instead","type":"boolean"},"mutateExistingOnPolicyUpdate":{"description":"MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.\nDefault value is \"false\".","type":"boolean"},"rules":{"description":"Rules is a list of Rule instances. A Policy contains multiple rules and\neach rule can validate, mutate, or generate resources.","type":"array","items":{"description":"Rule defines a validation, mutation, or generation control for matching resources.\nEach rules contains a match declaration to select resources, and an optional exclude\ndeclaration to specify which resources to exclude.","type":"object","required":["name"],"properties":{"celPreconditions":{"description":"CELPreconditions are used to determine if a policy rule should be applied by evaluating a\nset of CEL conditions. It can only be used with the validate.cel subrule","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\n\nRequired.","type":"string"}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exclude":{"description":"ExcludeResources defines when this policy rule should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"generate":{"description":"Generation is used to create new resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nSee https://kyverno.io/docs/writing-policies/generate/#data-examples.\nDefaults to \"false\" if not specified.","type":"boolean"},"synchronize":{"description":"Synchronize controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}},"imageExtractors":{"description":"ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.\nThis config is only valid for verifyImages rules.","type":"object","additionalProperties":{"type":"array","items":{"type":"object","required":["path"],"properties":{"jmesPath":{"description":"JMESPath is an optional JMESPath expression to apply to the image value.\nThis is useful when the extracted image begins with a prefix like 'docker://'.\nThe 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').\nNote - Image digest mutation may not be used when applying a JMESPAth to an image.","type":"string"},"key":{"description":"Key is an optional name of the field within 'path' that will be used to uniquely identify an image.\nNote - this field MUST be unique.","type":"string"},"name":{"description":"Name is the entry the image will be available under 'images.' in the context.\nIf this field is not defined, image entries will appear under 'images.custom'.","type":"string"},"path":{"description":"Path is the path to the object containing the image field in a custom resource.\nIt should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.\nWildcard keys are expanded in case of arrays or objects.","type":"string"},"value":{"description":"Value is an optional name of the field within 'path' that points to the image URI.\nThis is useful when a custom 'key' is also defined.","type":"string"}}}}},"match":{"description":"MatchResources defines when this policy rule should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"mutate":{"description":"Mutation is used to modify matching resources.","type":"object","properties":{"foreach":{"description":"ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"order":{"description":"Order defines the iteration order on the list.\nCan be Ascending to iterate from first to last element or Descending to iterate in from last to first element.","type":"string","enum":["Ascending","Descending"]},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.","type":"string"},"targets":{"description":"Targets defines the target resources to be mutated.","type":"array","items":{"description":"TargetResourceSpec defines targets for mutating existing resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}}}},"name":{"description":"Name is a label to identify the rule, It must be unique within the policy.","type":"string","maxLength":63},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"skipBackgroundRequests":{"description":"SkipBackgroundRequests bypasses admission requests that are sent by the background controller.\nThe default value is set to \"true\", it must be set to \"false\" to apply\ngenerate and mutateExisting rules to those requests.","type":"boolean"},"validate":{"description":"Validation is used to validate matching resources.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"cel":{"description":"CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).","type":"object","properties":{"auditAnnotations":{"description":"AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\n\nRequired.","type":"string"}}}},"expressions":{"description":"Expressions is a list of CELExpression types.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}}},"paramKind":{"description":"ParamKind is a tuple of Group Kind and Version.","type":"object","properties":{"apiVersion":{"description":"APIVersion is the API group version the resources belong to.\nIn format of \"group/version\".\nRequired.","type":"string"},"kind":{"description":"Kind is the API kind the resources belong to.\nRequired.","type":"string"}},"x-kubernetes-map-type":"atomic"},"paramRef":{"description":"ParamRef references a parameter resource.","type":"object","properties":{"name":{"description":"`name` is the name of the resource being referenced.\n\n\n`name` and `selector` are mutually exclusive properties. If one is set,\nthe other must be unset.","type":"string"},"namespace":{"description":"namespace is the namespace of the referenced resource. Allows limiting\nthe search for params to a specific namespace. Applies to both `name` and\n`selector` fields.\n\n\nA per-namespace parameter may be used by specifying a namespace-scoped\n`paramKind` in the policy and leaving this field empty.\n\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this\nfield results in a configuration error.\n\n\n- If `paramKind` is namespace-scoped, the namespace of the object being\nevaluated for admission will be used when this field is left unset. Take\ncare that if this is left empty the binding must not match any cluster-scoped\nresources, which will result in an error.","type":"string"},"parameterNotFoundAction":{"description":"`parameterNotFoundAction` controls the behavior of the binding when the resource\nexists, and name or selector is valid, but there are no parameters\nmatched by the binding. If the value is set to `Allow`, then no\nmatched parameters will be treated as successful validation by the binding.\nIf set to `Deny`, then no matched parameters will be subject to the\n`failurePolicy` of the policy.\n\n\nAllowed values are `Allow` or `Deny`\nDefault to `Deny`","type":"string"},"selector":{"description":"selector can be used to match multiple param objects based on their labels.\nSupply selector: {} to match all resources of the ParamKind.\n\n\nIf multiple params are found, they are all evaluated with the policy expressions\nand the results are ANDed together.\n\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"foreach":{"description":"ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"elementScope":{"description":"ElementScope specifies whether to use the current list element as the scope for validation. Defaults to \"true\" if not specified.\nWhen set to \"false\", \"request.object\" is used as the validation scope within the foreach\nblock to allow referencing other elements in the subtree.","type":"boolean"},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"manifests":{"description":"Manifest specifies conditions for manifest verification","type":"object","properties":{"annotationDomain":{"description":"AnnotationDomain is custom domain of annotation for message and signature. Default is \"cosign.sigstore.dev\".","type":"string"},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"dryRun":{"description":"DryRun configuration","type":"object","properties":{"enable":{"type":"boolean"},"namespace":{"type":"string"}}},"ignoreFields":{"description":"Fields which will be ignored while comparing manifests.","type":"array","items":{"type":"object","properties":{"fields":{"type":"array","items":{"type":"string"}},"objects":{"type":"array","items":{"type":"object","properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for resource bundle reference.\nThe repository can be overridden per Attestor or Attestation.","type":"string"}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"podSecurity":{"description":"PodSecurity applies exemptions for Kubernetes Pod Security admission\nby specifying exclusions for Pod Security Standards controls.","type":"object","properties":{"exclude":{"description":"Exclude specifies the Pod Security Standard controls to be excluded.","type":"array","items":{"description":"PodSecurityStandard specifies the Pod Security Standard controls to be excluded.","type":"object","required":["controlName"],"properties":{"controlName":{"description":"ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/","type":"string","enum":["HostProcess","Host Namespaces","Privileged Containers","Capabilities","HostPath Volumes","Host Ports","AppArmor","SELinux","/proc Mount Type","Seccomp","Sysctls","Volume Types","Privilege Escalation","Running as Non-root","Running as Non-root user"]},"images":{"description":"Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"restrictedField":{"description":"RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.","type":"string"},"values":{"description":"Values defines the allowed values that can be excluded.","type":"array","items":{"type":"string"}}}}},"level":{"description":"Level defines the Pod Security Standard level to be applied to workloads.\nAllowed values are privileged, baseline, and restricted.","type":"string","enum":["privileged","baseline","restricted"]},"version":{"description":"Version defines the Pod Security Standard versions that Kubernetes supports.\nAllowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.","type":"string","enum":["v1.19","v1.20","v1.21","v1.22","v1.23","v1.24","v1.25","v1.26","v1.27","v1.28","v1.29","latest"]}}}}},"verifyImages":{"description":"VerifyImages is used to verify image signatures and mutate them to add a digest","type":"array","items":{"description":"ImageVerification validates that images that match the specified pattern\nare signed with the supplied public key. Once the image is verified it is\nmutated to include the SHA digest retrieved during the registration.","type":"object","properties":{"additionalExtensions":{"description":"Deprecated.","type":"object","additionalProperties":{"type":"string"}},"annotations":{"description":"Deprecated. Use annotations per Attestor instead.","type":"object","additionalProperties":{"type":"string"}},"attestations":{"description":"Attestations are optional checks for signed in-toto Statements used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statement declarations.","type":"array","items":{"description":"Attestation are checks for signed in-toto Statements that are used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statements.","type":"object","properties":{"attestors":{"description":"Attestors specify the required attestors (i.e. authorities).","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"conditions":{"description":"Conditions are used to verify attributes within a Predicate. If no Conditions are specified\nthe attestation check is satisfied as long there are predicates that match the predicate type.","type":"array","items":{"description":"AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.\nAnyConditions get fulfilled when at least one of its sub-conditions passes.\nAllConditions get fulfilled only when all of its sub-conditions pass.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}}},"predicateType":{"description":"Deprecated in favour of 'Type', to be removed soon","type":"string"},"type":{"description":"Type defines the type of attestation contained within the Statement.","type":"string"}}}},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"image":{"description":"Deprecated. Use ImageReferences instead.","type":"string"},"imageReferences":{"description":"ImageReferences is a list of matching image reference patterns. At least one pattern in the\nlist must match the image for the rule to apply. Each image reference consists of a registry\naddress (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"issuer":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"key":{"description":"Deprecated. Use StaticKeyAttestor instead.","type":"string"},"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"repository":{"description":"Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.\nIf specified Repository will override the default OCI image repository configured for the installation.\nThe repository can also be overridden per Attestor or Attestation.","type":"string"},"required":{"description":"Required validates that images are verified i.e. have matched passed a signature or attestation check.","type":"boolean"},"roots":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"skipImageReferences":{"description":"SkipImageReferences is a list of matching image reference patterns that should be skipped.\nAt least one pattern in the list must match the image for the rule to be skipped. Each image reference\nconsists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"subject":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"type":{"description":"Type specifies the method of signature validation. The allowed options\nare Cosign and Notary. By default Cosign is used if a type is not specified.","type":"string","enum":["Cosign","Notary"]},"useCache":{"description":"UseCache enables caching of image verify responses for this rule.","type":"boolean"},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}}}}}},"schemaValidation":{"description":"Deprecated.","type":"boolean"},"useServerSideApply":{"description":"UseServerSideApply controls whether to use server-side apply for generate rules\nIf is set to \"true\" create & update for generate rules will use apply instead of create/update.\nDefaults to \"false\" if not specified.","type":"boolean"},"validationFailureAction":{"description":"ValidationFailureAction defines if a validation policy rule violation should block\nthe admission review request (enforce), or allow (audit) the admission review request\nand report an error in a policy report. Optional.\nAllowed values are audit or enforce. The default value is \"Audit\".","type":"string","enum":["audit","enforce","Audit","Enforce"]},"validationFailureActionOverrides":{"description":"ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction\nnamespace-wise. It overrides ValidationFailureAction for the specified namespaces.","type":"array","items":{"type":"object","properties":{"action":{"description":"ValidationFailureAction defines the policy validation failure action","type":"string","enum":["audit","enforce","Audit","Enforce"]},"namespaceSelector":{"description":"A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"}}}}},"webhookConfiguration":{"description":"WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.\nRequires Kubernetes 1.27 or later.","type":"object","properties":{"matchConditions":{"description":"MatchCondition configures admission webhook matchConditions.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\n\nRequired.","type":"string"}}}}}},"webhookTimeoutSeconds":{"description":"WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}},"status":{"description":"Deprecated. Policy metrics are available via the metrics endpoint","type":"object","required":["ready"],"properties":{"autogen":{"description":"AutogenStatus contains autogen status information.","type":"object","properties":{"rules":{"description":"Rules is a list of Rule instances. It contains auto generated rules added for pod controllers","type":"array","items":{"description":"Rule defines a validation, mutation, or generation control for matching resources.\nEach rules contains a match declaration to select resources, and an optional exclude\ndeclaration to specify which resources to exclude.","type":"object","required":["name"],"properties":{"celPreconditions":{"description":"CELPreconditions are used to determine if a policy rule should be applied by evaluating a\nset of CEL conditions. It can only be used with the validate.cel subrule","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\n\nRequired.","type":"string"}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exclude":{"description":"ExcludeResources defines when this policy rule should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"generate":{"description":"Generation is used to create new resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nSee https://kyverno.io/docs/writing-policies/generate/#data-examples.\nDefaults to \"false\" if not specified.","type":"boolean"},"synchronize":{"description":"Synchronize controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}},"imageExtractors":{"description":"ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.\nThis config is only valid for verifyImages rules.","type":"object","additionalProperties":{"type":"array","items":{"type":"object","required":["path"],"properties":{"jmesPath":{"description":"JMESPath is an optional JMESPath expression to apply to the image value.\nThis is useful when the extracted image begins with a prefix like 'docker://'.\nThe 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').\nNote - Image digest mutation may not be used when applying a JMESPAth to an image.","type":"string"},"key":{"description":"Key is an optional name of the field within 'path' that will be used to uniquely identify an image.\nNote - this field MUST be unique.","type":"string"},"name":{"description":"Name is the entry the image will be available under 'images.' in the context.\nIf this field is not defined, image entries will appear under 'images.custom'.","type":"string"},"path":{"description":"Path is the path to the object containing the image field in a custom resource.\nIt should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.\nWildcard keys are expanded in case of arrays or objects.","type":"string"},"value":{"description":"Value is an optional name of the field within 'path' that points to the image URI.\nThis is useful when a custom 'key' is also defined.","type":"string"}}}}},"match":{"description":"MatchResources defines when this policy rule should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"mutate":{"description":"Mutation is used to modify matching resources.","type":"object","properties":{"foreach":{"description":"ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"order":{"description":"Order defines the iteration order on the list.\nCan be Ascending to iterate from first to last element or Descending to iterate in from last to first element.","type":"string","enum":["Ascending","Descending"]},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.","type":"string"},"targets":{"description":"Targets defines the target resources to be mutated.","type":"array","items":{"description":"TargetResourceSpec defines targets for mutating existing resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}}}},"name":{"description":"Name is a label to identify the rule, It must be unique within the policy.","type":"string","maxLength":63},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"skipBackgroundRequests":{"description":"SkipBackgroundRequests bypasses admission requests that are sent by the background controller.\nThe default value is set to \"true\", it must be set to \"false\" to apply\ngenerate and mutateExisting rules to those requests.","type":"boolean"},"validate":{"description":"Validation is used to validate matching resources.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"cel":{"description":"CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).","type":"object","properties":{"auditAnnotations":{"description":"AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\n\nRequired.","type":"string"}}}},"expressions":{"description":"Expressions is a list of CELExpression types.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}}},"paramKind":{"description":"ParamKind is a tuple of Group Kind and Version.","type":"object","properties":{"apiVersion":{"description":"APIVersion is the API group version the resources belong to.\nIn format of \"group/version\".\nRequired.","type":"string"},"kind":{"description":"Kind is the API kind the resources belong to.\nRequired.","type":"string"}},"x-kubernetes-map-type":"atomic"},"paramRef":{"description":"ParamRef references a parameter resource.","type":"object","properties":{"name":{"description":"`name` is the name of the resource being referenced.\n\n\n`name` and `selector` are mutually exclusive properties. If one is set,\nthe other must be unset.","type":"string"},"namespace":{"description":"namespace is the namespace of the referenced resource. Allows limiting\nthe search for params to a specific namespace. Applies to both `name` and\n`selector` fields.\n\n\nA per-namespace parameter may be used by specifying a namespace-scoped\n`paramKind` in the policy and leaving this field empty.\n\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this\nfield results in a configuration error.\n\n\n- If `paramKind` is namespace-scoped, the namespace of the object being\nevaluated for admission will be used when this field is left unset. Take\ncare that if this is left empty the binding must not match any cluster-scoped\nresources, which will result in an error.","type":"string"},"parameterNotFoundAction":{"description":"`parameterNotFoundAction` controls the behavior of the binding when the resource\nexists, and name or selector is valid, but there are no parameters\nmatched by the binding. If the value is set to `Allow`, then no\nmatched parameters will be treated as successful validation by the binding.\nIf set to `Deny`, then no matched parameters will be subject to the\n`failurePolicy` of the policy.\n\n\nAllowed values are `Allow` or `Deny`\nDefault to `Deny`","type":"string"},"selector":{"description":"selector can be used to match multiple param objects based on their labels.\nSupply selector: {} to match all resources of the ParamKind.\n\n\nIf multiple params are found, they are all evaluated with the policy expressions\nand the results are ANDed together.\n\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"foreach":{"description":"ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"elementScope":{"description":"ElementScope specifies whether to use the current list element as the scope for validation. Defaults to \"true\" if not specified.\nWhen set to \"false\", \"request.object\" is used as the validation scope within the foreach\nblock to allow referencing other elements in the subtree.","type":"boolean"},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"manifests":{"description":"Manifest specifies conditions for manifest verification","type":"object","properties":{"annotationDomain":{"description":"AnnotationDomain is custom domain of annotation for message and signature. Default is \"cosign.sigstore.dev\".","type":"string"},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"dryRun":{"description":"DryRun configuration","type":"object","properties":{"enable":{"type":"boolean"},"namespace":{"type":"string"}}},"ignoreFields":{"description":"Fields which will be ignored while comparing manifests.","type":"array","items":{"type":"object","properties":{"fields":{"type":"array","items":{"type":"string"}},"objects":{"type":"array","items":{"type":"object","properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for resource bundle reference.\nThe repository can be overridden per Attestor or Attestation.","type":"string"}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"podSecurity":{"description":"PodSecurity applies exemptions for Kubernetes Pod Security admission\nby specifying exclusions for Pod Security Standards controls.","type":"object","properties":{"exclude":{"description":"Exclude specifies the Pod Security Standard controls to be excluded.","type":"array","items":{"description":"PodSecurityStandard specifies the Pod Security Standard controls to be excluded.","type":"object","required":["controlName"],"properties":{"controlName":{"description":"ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/","type":"string","enum":["HostProcess","Host Namespaces","Privileged Containers","Capabilities","HostPath Volumes","Host Ports","AppArmor","SELinux","/proc Mount Type","Seccomp","Sysctls","Volume Types","Privilege Escalation","Running as Non-root","Running as Non-root user"]},"images":{"description":"Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"restrictedField":{"description":"RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.","type":"string"},"values":{"description":"Values defines the allowed values that can be excluded.","type":"array","items":{"type":"string"}}}}},"level":{"description":"Level defines the Pod Security Standard level to be applied to workloads.\nAllowed values are privileged, baseline, and restricted.","type":"string","enum":["privileged","baseline","restricted"]},"version":{"description":"Version defines the Pod Security Standard versions that Kubernetes supports.\nAllowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.","type":"string","enum":["v1.19","v1.20","v1.21","v1.22","v1.23","v1.24","v1.25","v1.26","v1.27","v1.28","v1.29","latest"]}}}}},"verifyImages":{"description":"VerifyImages is used to verify image signatures and mutate them to add a digest","type":"array","items":{"description":"ImageVerification validates that images that match the specified pattern\nare signed with the supplied public key. Once the image is verified it is\nmutated to include the SHA digest retrieved during the registration.","type":"object","properties":{"additionalExtensions":{"description":"Deprecated.","type":"object","additionalProperties":{"type":"string"}},"annotations":{"description":"Deprecated. Use annotations per Attestor instead.","type":"object","additionalProperties":{"type":"string"}},"attestations":{"description":"Attestations are optional checks for signed in-toto Statements used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statement declarations.","type":"array","items":{"description":"Attestation are checks for signed in-toto Statements that are used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statements.","type":"object","properties":{"attestors":{"description":"Attestors specify the required attestors (i.e. authorities).","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"conditions":{"description":"Conditions are used to verify attributes within a Predicate. If no Conditions are specified\nthe attestation check is satisfied as long there are predicates that match the predicate type.","type":"array","items":{"description":"AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.\nAnyConditions get fulfilled when at least one of its sub-conditions passes.\nAllConditions get fulfilled only when all of its sub-conditions pass.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}}},"predicateType":{"description":"Deprecated in favour of 'Type', to be removed soon","type":"string"},"type":{"description":"Type defines the type of attestation contained within the Statement.","type":"string"}}}},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"image":{"description":"Deprecated. Use ImageReferences instead.","type":"string"},"imageReferences":{"description":"ImageReferences is a list of matching image reference patterns. At least one pattern in the\nlist must match the image for the rule to apply. Each image reference consists of a registry\naddress (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"issuer":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"key":{"description":"Deprecated. Use StaticKeyAttestor instead.","type":"string"},"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"repository":{"description":"Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.\nIf specified Repository will override the default OCI image repository configured for the installation.\nThe repository can also be overridden per Attestor or Attestation.","type":"string"},"required":{"description":"Required validates that images are verified i.e. have matched passed a signature or attestation check.","type":"boolean"},"roots":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"skipImageReferences":{"description":"SkipImageReferences is a list of matching image reference patterns that should be skipped.\nAt least one pattern in the list must match the image for the rule to be skipped. Each image reference\nconsists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"subject":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"type":{"description":"Type specifies the method of signature validation. The allowed options\nare Cosign and Notary. By default Cosign is used if a type is not specified.","type":"string","enum":["Cosign","Notary"]},"useCache":{"description":"UseCache enables caching of image verify responses for this rule.","type":"boolean"},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}}}}}}}},"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"ready":{"description":"Deprecated in favor of Conditions","type":"boolean"},"rulecount":{"description":"RuleCountStatus contains four variables which describes counts for\nvalidate, generate, mutate and verify images rules","type":"object","required":["generate","mutate","validate","verifyimages"],"properties":{"generate":{"description":"Count for generate rules in policy","type":"integer"},"mutate":{"description":"Count for mutate rules in policy","type":"integer"},"validate":{"description":"Count for validate rules in policy","type":"integer"},"verifyimages":{"description":"Count for verify image rules in policy","type":"integer"}}},"validatingadmissionpolicy":{"description":"ValidatingAdmissionPolicy contains status information","type":"object","required":["generated","message"],"properties":{"generated":{"description":"Generated indicates whether a validating admission policy is generated from the policy or not","type":"boolean"},"message":{"description":"Message is a human readable message indicating details about the generation of validating admission policy\nIt is an empty string when validating admission policy is successfully generated.","type":"string"}}}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"Policy","version":"v1"}]},"io.kyverno.v1.PolicyList":{"description":"PolicyList is a list of Policy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of policies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v1.Policy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"PolicyList","version":"v1"}]},"io.kyverno.v1alpha2.AdmissionReport":{"description":"AdmissionReport is the Schema for the AdmissionReports API","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["owner"],"properties":{"owner":{"description":"Owner is a reference to the report owner (e.g. a Deployment, Namespace, or Node)","type":"object","required":["apiVersion","kind","name","uid"],"properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"blockOwnerDeletion":{"description":"If true, AND if the owner has the \"foregroundDeletion\" finalizer, then\nthe owner cannot be deleted from the key-value store until this\nreference is removed.\nSee https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion\nfor how the garbage collector interacts with this field and enforces the foreground deletion.\nDefaults to false.\nTo set this field, a user needs \"delete\" permission of the owner,\notherwise 422 (Unprocessable Entity) will be returned.","type":"boolean"},"controller":{"description":"If true, this reference points to the managing controller.","type":"boolean"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids","type":"string"}},"x-kubernetes-map-type":"atomic"},"results":{"description":"PolicyReportResult provides result details","type":"array","items":{"description":"PolicyReportResult provides the result for an individual policy","type":"object","required":["policy"],"properties":{"category":{"description":"Category indicates policy category","type":"string"},"message":{"description":"Description is a short user friendly message for the policy rule","type":"string"},"policy":{"description":"Policy is the name or identifier of the policy","type":"string"},"properties":{"description":"Properties provides additional information for the policy rule","type":"object","additionalProperties":{"type":"string"}},"resourceSelector":{"description":"SubjectSelector is an optional label selector for checked Kubernetes resources.\nFor example, a policy result may apply to all pods that match a label.\nEither a Subject or a SubjectSelector can be specified.\nIf neither are provided, the result is assumed to be for the policy report scope.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resources":{"description":"Subjects is an optional reference to the checked Kubernetes resources","type":"array","items":{"description":"ObjectReference contains enough information to let you inspect or modify the referred object.\n---\nNew uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.\n 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.\n 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular\n restrictions like, \"must refer only to types A and B\" or \"UID not honored\" or \"name must be restricted\".\n Those cannot be well described when embedded.\n 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.\n 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity\n during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple\n and the version of the actual struct is irrelevant.\n 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type\n will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.\n\n\nInstead of using this type, create a locally provided and used type that is well-focused on your reference.\nFor example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.\nTODO: this design is not final and this field is subject to change in the future.","type":"string"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"}},"result":{"description":"Result indicates the outcome of the policy rule execution","type":"string","enum":["pass","fail","warn","error","skip"]},"rule":{"description":"Rule is the name or identifier of the rule within the policy","type":"string"},"scored":{"description":"Scored indicates if this result is scored","type":"boolean"},"severity":{"description":"Severity indicates policy check result criticality","type":"string","enum":["critical","high","low","medium","info"]},"source":{"description":"Source is an identifier for the policy engine that manages this report","type":"string"},"timestamp":{"description":"Timestamp indicates the time the result was found","type":"object","required":["nanos","seconds"],"properties":{"nanos":{"description":"Non-negative fractions of a second at nanosecond resolution. Negative\nsecond values with fractions must still have non-negative nanos values\nthat count forward in time. Must be from 0 to 999,999,999\ninclusive. This field may be limited in precision depending on context.","type":"integer","format":"int32"},"seconds":{"description":"Represents seconds of UTC time since Unix epoch\n1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to\n9999-12-31T23:59:59Z inclusive.","type":"integer","format":"int64"}}}}}},"summary":{"description":"PolicyReportSummary provides a summary of results","type":"object","properties":{"error":{"description":"Error provides the count of policies that could not be evaluated","type":"integer"},"fail":{"description":"Fail provides the count of policies whose requirements were not met","type":"integer"},"pass":{"description":"Pass provides the count of policies whose requirements were met","type":"integer"},"skip":{"description":"Skip indicates the count of policies that were not selected for evaluation","type":"integer"},"warn":{"description":"Warn provides the count of non-scored policies whose requirements were not met","type":"integer"}}}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"AdmissionReport","version":"v1alpha2"}]},"io.kyverno.v1alpha2.AdmissionReportList":{"description":"AdmissionReportList is a list of AdmissionReport","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of admissionreports. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v1alpha2.AdmissionReport"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"AdmissionReportList","version":"v1alpha2"}]},"io.kyverno.v1alpha2.BackgroundScanReport":{"description":"BackgroundScanReport is the Schema for the BackgroundScanReports API","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","properties":{"results":{"description":"PolicyReportResult provides result details","type":"array","items":{"description":"PolicyReportResult provides the result for an individual policy","type":"object","required":["policy"],"properties":{"category":{"description":"Category indicates policy category","type":"string"},"message":{"description":"Description is a short user friendly message for the policy rule","type":"string"},"policy":{"description":"Policy is the name or identifier of the policy","type":"string"},"properties":{"description":"Properties provides additional information for the policy rule","type":"object","additionalProperties":{"type":"string"}},"resourceSelector":{"description":"SubjectSelector is an optional label selector for checked Kubernetes resources.\nFor example, a policy result may apply to all pods that match a label.\nEither a Subject or a SubjectSelector can be specified.\nIf neither are provided, the result is assumed to be for the policy report scope.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resources":{"description":"Subjects is an optional reference to the checked Kubernetes resources","type":"array","items":{"description":"ObjectReference contains enough information to let you inspect or modify the referred object.\n---\nNew uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.\n 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.\n 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular\n restrictions like, \"must refer only to types A and B\" or \"UID not honored\" or \"name must be restricted\".\n Those cannot be well described when embedded.\n 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.\n 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity\n during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple\n and the version of the actual struct is irrelevant.\n 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type\n will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.\n\n\nInstead of using this type, create a locally provided and used type that is well-focused on your reference.\nFor example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.\nTODO: this design is not final and this field is subject to change in the future.","type":"string"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"}},"result":{"description":"Result indicates the outcome of the policy rule execution","type":"string","enum":["pass","fail","warn","error","skip"]},"rule":{"description":"Rule is the name or identifier of the rule within the policy","type":"string"},"scored":{"description":"Scored indicates if this result is scored","type":"boolean"},"severity":{"description":"Severity indicates policy check result criticality","type":"string","enum":["critical","high","low","medium","info"]},"source":{"description":"Source is an identifier for the policy engine that manages this report","type":"string"},"timestamp":{"description":"Timestamp indicates the time the result was found","type":"object","required":["nanos","seconds"],"properties":{"nanos":{"description":"Non-negative fractions of a second at nanosecond resolution. Negative\nsecond values with fractions must still have non-negative nanos values\nthat count forward in time. Must be from 0 to 999,999,999\ninclusive. This field may be limited in precision depending on context.","type":"integer","format":"int32"},"seconds":{"description":"Represents seconds of UTC time since Unix epoch\n1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to\n9999-12-31T23:59:59Z inclusive.","type":"integer","format":"int64"}}}}}},"summary":{"description":"PolicyReportSummary provides a summary of results","type":"object","properties":{"error":{"description":"Error provides the count of policies that could not be evaluated","type":"integer"},"fail":{"description":"Fail provides the count of policies whose requirements were not met","type":"integer"},"pass":{"description":"Pass provides the count of policies whose requirements were met","type":"integer"},"skip":{"description":"Skip indicates the count of policies that were not selected for evaluation","type":"integer"},"warn":{"description":"Warn provides the count of non-scored policies whose requirements were not met","type":"integer"}}}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"BackgroundScanReport","version":"v1alpha2"}]},"io.kyverno.v1alpha2.BackgroundScanReportList":{"description":"BackgroundScanReportList is a list of BackgroundScanReport","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of backgroundscanreports. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v1alpha2.BackgroundScanReport"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"BackgroundScanReportList","version":"v1alpha2"}]},"io.kyverno.v1alpha2.ClusterAdmissionReport":{"description":"ClusterAdmissionReport is the Schema for the ClusterAdmissionReports API","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["owner"],"properties":{"owner":{"description":"Owner is a reference to the report owner (e.g. a Deployment, Namespace, or Node)","type":"object","required":["apiVersion","kind","name","uid"],"properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"blockOwnerDeletion":{"description":"If true, AND if the owner has the \"foregroundDeletion\" finalizer, then\nthe owner cannot be deleted from the key-value store until this\nreference is removed.\nSee https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion\nfor how the garbage collector interacts with this field and enforces the foreground deletion.\nDefaults to false.\nTo set this field, a user needs \"delete\" permission of the owner,\notherwise 422 (Unprocessable Entity) will be returned.","type":"boolean"},"controller":{"description":"If true, this reference points to the managing controller.","type":"boolean"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids","type":"string"}},"x-kubernetes-map-type":"atomic"},"results":{"description":"PolicyReportResult provides result details","type":"array","items":{"description":"PolicyReportResult provides the result for an individual policy","type":"object","required":["policy"],"properties":{"category":{"description":"Category indicates policy category","type":"string"},"message":{"description":"Description is a short user friendly message for the policy rule","type":"string"},"policy":{"description":"Policy is the name or identifier of the policy","type":"string"},"properties":{"description":"Properties provides additional information for the policy rule","type":"object","additionalProperties":{"type":"string"}},"resourceSelector":{"description":"SubjectSelector is an optional label selector for checked Kubernetes resources.\nFor example, a policy result may apply to all pods that match a label.\nEither a Subject or a SubjectSelector can be specified.\nIf neither are provided, the result is assumed to be for the policy report scope.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resources":{"description":"Subjects is an optional reference to the checked Kubernetes resources","type":"array","items":{"description":"ObjectReference contains enough information to let you inspect or modify the referred object.\n---\nNew uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.\n 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.\n 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular\n restrictions like, \"must refer only to types A and B\" or \"UID not honored\" or \"name must be restricted\".\n Those cannot be well described when embedded.\n 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.\n 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity\n during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple\n and the version of the actual struct is irrelevant.\n 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type\n will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.\n\n\nInstead of using this type, create a locally provided and used type that is well-focused on your reference.\nFor example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.\nTODO: this design is not final and this field is subject to change in the future.","type":"string"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"}},"result":{"description":"Result indicates the outcome of the policy rule execution","type":"string","enum":["pass","fail","warn","error","skip"]},"rule":{"description":"Rule is the name or identifier of the rule within the policy","type":"string"},"scored":{"description":"Scored indicates if this result is scored","type":"boolean"},"severity":{"description":"Severity indicates policy check result criticality","type":"string","enum":["critical","high","low","medium","info"]},"source":{"description":"Source is an identifier for the policy engine that manages this report","type":"string"},"timestamp":{"description":"Timestamp indicates the time the result was found","type":"object","required":["nanos","seconds"],"properties":{"nanos":{"description":"Non-negative fractions of a second at nanosecond resolution. Negative\nsecond values with fractions must still have non-negative nanos values\nthat count forward in time. Must be from 0 to 999,999,999\ninclusive. This field may be limited in precision depending on context.","type":"integer","format":"int32"},"seconds":{"description":"Represents seconds of UTC time since Unix epoch\n1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to\n9999-12-31T23:59:59Z inclusive.","type":"integer","format":"int64"}}}}}},"summary":{"description":"PolicyReportSummary provides a summary of results","type":"object","properties":{"error":{"description":"Error provides the count of policies that could not be evaluated","type":"integer"},"fail":{"description":"Fail provides the count of policies whose requirements were not met","type":"integer"},"pass":{"description":"Pass provides the count of policies whose requirements were met","type":"integer"},"skip":{"description":"Skip indicates the count of policies that were not selected for evaluation","type":"integer"},"warn":{"description":"Warn provides the count of non-scored policies whose requirements were not met","type":"integer"}}}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterAdmissionReport","version":"v1alpha2"}]},"io.kyverno.v1alpha2.ClusterAdmissionReportList":{"description":"ClusterAdmissionReportList is a list of ClusterAdmissionReport","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clusteradmissionreports. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterAdmissionReport"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterAdmissionReportList","version":"v1alpha2"}]},"io.kyverno.v1alpha2.ClusterBackgroundScanReport":{"description":"ClusterBackgroundScanReport is the Schema for the ClusterBackgroundScanReports API","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","properties":{"results":{"description":"PolicyReportResult provides result details","type":"array","items":{"description":"PolicyReportResult provides the result for an individual policy","type":"object","required":["policy"],"properties":{"category":{"description":"Category indicates policy category","type":"string"},"message":{"description":"Description is a short user friendly message for the policy rule","type":"string"},"policy":{"description":"Policy is the name or identifier of the policy","type":"string"},"properties":{"description":"Properties provides additional information for the policy rule","type":"object","additionalProperties":{"type":"string"}},"resourceSelector":{"description":"SubjectSelector is an optional label selector for checked Kubernetes resources.\nFor example, a policy result may apply to all pods that match a label.\nEither a Subject or a SubjectSelector can be specified.\nIf neither are provided, the result is assumed to be for the policy report scope.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resources":{"description":"Subjects is an optional reference to the checked Kubernetes resources","type":"array","items":{"description":"ObjectReference contains enough information to let you inspect or modify the referred object.\n---\nNew uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.\n 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.\n 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular\n restrictions like, \"must refer only to types A and B\" or \"UID not honored\" or \"name must be restricted\".\n Those cannot be well described when embedded.\n 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.\n 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity\n during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple\n and the version of the actual struct is irrelevant.\n 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type\n will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.\n\n\nInstead of using this type, create a locally provided and used type that is well-focused on your reference.\nFor example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.\nTODO: this design is not final and this field is subject to change in the future.","type":"string"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"}},"result":{"description":"Result indicates the outcome of the policy rule execution","type":"string","enum":["pass","fail","warn","error","skip"]},"rule":{"description":"Rule is the name or identifier of the rule within the policy","type":"string"},"scored":{"description":"Scored indicates if this result is scored","type":"boolean"},"severity":{"description":"Severity indicates policy check result criticality","type":"string","enum":["critical","high","low","medium","info"]},"source":{"description":"Source is an identifier for the policy engine that manages this report","type":"string"},"timestamp":{"description":"Timestamp indicates the time the result was found","type":"object","required":["nanos","seconds"],"properties":{"nanos":{"description":"Non-negative fractions of a second at nanosecond resolution. Negative\nsecond values with fractions must still have non-negative nanos values\nthat count forward in time. Must be from 0 to 999,999,999\ninclusive. This field may be limited in precision depending on context.","type":"integer","format":"int32"},"seconds":{"description":"Represents seconds of UTC time since Unix epoch\n1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to\n9999-12-31T23:59:59Z inclusive.","type":"integer","format":"int64"}}}}}},"summary":{"description":"PolicyReportSummary provides a summary of results","type":"object","properties":{"error":{"description":"Error provides the count of policies that could not be evaluated","type":"integer"},"fail":{"description":"Fail provides the count of policies whose requirements were not met","type":"integer"},"pass":{"description":"Pass provides the count of policies whose requirements were met","type":"integer"},"skip":{"description":"Skip indicates the count of policies that were not selected for evaluation","type":"integer"},"warn":{"description":"Warn provides the count of non-scored policies whose requirements were not met","type":"integer"}}}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterBackgroundScanReport","version":"v1alpha2"}]},"io.kyverno.v1alpha2.ClusterBackgroundScanReportList":{"description":"ClusterBackgroundScanReportList is a list of ClusterBackgroundScanReport","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clusterbackgroundscanreports. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v1alpha2.ClusterBackgroundScanReport"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterBackgroundScanReportList","version":"v1alpha2"}]},"io.kyverno.v1beta1.UpdateRequest":{"description":"UpdateRequest is a request to process mutate and generate rules in background.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ResourceSpec is the information to identify the trigger resource.","type":"object","required":["context","deleteDownstream","policy","resource","rule"],"properties":{"context":{"description":"Context ...","type":"object","properties":{"admissionRequestInfo":{"description":"AdmissionRequestInfoObject stores the admission request and operation details","type":"object","properties":{"admissionRequest":{"description":"AdmissionRequest describes the admission.Attributes for the admission request.","type":"object","required":["kind","operation","resource","uid","userInfo"],"properties":{"dryRun":{"description":"DryRun indicates that modifications will definitely not be persisted for this request.\nDefaults to false.","type":"boolean"},"kind":{"description":"Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)","type":"object","required":["group","kind","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"version":{"type":"string"}}},"name":{"description":"Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and\nrely on the server to generate the name. If that is the case, this field will contain an empty string.","type":"string"},"namespace":{"description":"Namespace is the namespace associated with the request (if any).","type":"string"},"object":{"description":"Object is the object from the incoming request.","x-kubernetes-preserve-unknown-fields":true},"oldObject":{"description":"OldObject is the existing object. Only populated for DELETE and UPDATE requests.","x-kubernetes-preserve-unknown-fields":true},"operation":{"description":"Operation is the operation being performed. This may be different than the operation\nrequested. e.g. a patch can result in either a CREATE or UPDATE Operation.","type":"string"},"options":{"description":"Options is the operation option structure of the operation being performed.\ne.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be\ndifferent than the options the caller provided. e.g. for a patch request the performed\nOperation might be a CREATE, in which case the Options will a\n`meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.","x-kubernetes-preserve-unknown-fields":true},"requestKind":{"description":"RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).\nIf this is specified and differs from the value in \"kind\", an equivalent match and conversion was performed.\n\n\nFor example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of\n`apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`,\nan API request to apps/v1beta1 deployments would be converted and sent to the webhook\nwith `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` (matching the rule the webhook registered for),\nand `requestKind: {group:\"apps\", version:\"v1beta1\", kind:\"Deployment\"}` (indicating the kind of the original API request).\n\n\nSee documentation for the \"matchPolicy\" field in the webhook configuration type for more details.","type":"object","required":["group","kind","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"version":{"type":"string"}}},"requestResource":{"description":"RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).\nIf this is specified and differs from the value in \"resource\", an equivalent match and conversion was performed.\n\n\nFor example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of\n`apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`,\nan API request to apps/v1beta1 deployments would be converted and sent to the webhook\nwith `resource: {group:\"apps\", version:\"v1\", resource:\"deployments\"}` (matching the resource the webhook registered for),\nand `requestResource: {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` (indicating the resource of the original API request).\n\n\nSee documentation for the \"matchPolicy\" field in the webhook configuration type.","type":"object","required":["group","resource","version"],"properties":{"group":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}},"requestSubResource":{"description":"RequestSubResource is the name of the subresource of the original API request, if any (for example, \"status\" or \"scale\")\nIf this is specified and differs from the value in \"subResource\", an equivalent match and conversion was performed.\nSee documentation for the \"matchPolicy\" field in the webhook configuration type.","type":"string"},"resource":{"description":"Resource is the fully-qualified resource being requested (for example, v1.pods)","type":"object","required":["group","resource","version"],"properties":{"group":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}},"subResource":{"description":"SubResource is the subresource being requested, if any (for example, \"status\" or \"scale\")","type":"string"},"uid":{"description":"UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are\notherwise identical (parallel requests, requests when earlier requests did not modify etc)\nThe UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.\nIt is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.","type":"string"},"userInfo":{"description":"UserInfo is information about the requesting user","type":"object","properties":{"extra":{"description":"Any additional information provided by the authenticator.","type":"object","additionalProperties":{"description":"ExtraValue masks the value so protobuf can generate","type":"array","items":{"type":"string"}}},"groups":{"description":"The names of groups this user is a part of.","type":"array","items":{"type":"string"}},"uid":{"description":"A unique value that identifies this user across time. If this user is\ndeleted and another user by the same name is added, they will have\ndifferent UIDs.","type":"string"},"username":{"description":"The name that uniquely identifies this user among all active users.","type":"string"}}}}},"operation":{"description":"Operation is the type of resource operation being checked for admission control","type":"string"}}},"userInfo":{"description":"RequestInfo contains permission info carried in an admission request.","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is a list of possible clusterRoles send the request."},"roles":{"description":"Roles is a list of possible role send the request."},"userInfo":{"description":"UserInfo is the userInfo carried in the admission request.","type":"object","properties":{"extra":{"description":"Any additional information provided by the authenticator.","type":"object","additionalProperties":{"description":"ExtraValue masks the value so protobuf can generate","type":"array","items":{"type":"string"}}},"groups":{"description":"The names of groups this user is a part of.","type":"array","items":{"type":"string"}},"uid":{"description":"A unique value that identifies this user across time. If this user is\ndeleted and another user by the same name is added, they will have\ndifferent UIDs.","type":"string"},"username":{"description":"The name that uniquely identifies this user among all active users.","type":"string"}}}}}}},"deleteDownstream":{"description":"DeleteDownstream represents whether the downstream needs to be deleted.","type":"boolean"},"policy":{"description":"Specifies the name of the policy.","type":"string"},"requestType":{"description":"Type represents request type for background processing","type":"string","enum":["mutate","generate"]},"resource":{"description":"ResourceSpec is the information to identify the trigger resource.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}},"rule":{"description":"Rule is the associate rule name of the current UR.","type":"string"},"synchronize":{"description":"Synchronize represents the sync behavior of the corresponding rule\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"status":{"description":"Status contains statistics related to update request.","type":"object","required":["state"],"properties":{"generatedResources":{"description":"This will track the resources that are updated by the generate Policy.\nWill be used during clean up resources.","type":"array","items":{"type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}},"handler":{"description":"Deprecated","type":"string"},"message":{"description":"Specifies request status message.","type":"string"},"retryCount":{"type":"integer"},"state":{"description":"State represents state of the update request.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"UpdateRequest","version":"v1beta1"}]},"io.kyverno.v1beta1.UpdateRequestList":{"description":"UpdateRequestList is a list of UpdateRequest","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of updaterequests. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v1beta1.UpdateRequest"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"UpdateRequestList","version":"v1beta1"}]},"io.kyverno.v2.AdmissionReport":{"description":"AdmissionReport is the Schema for the AdmissionReports API","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["owner"],"properties":{"owner":{"description":"Owner is a reference to the report owner (e.g. a Deployment, Namespace, or Node)","type":"object","required":["apiVersion","kind","name","uid"],"properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"blockOwnerDeletion":{"description":"If true, AND if the owner has the \"foregroundDeletion\" finalizer, then\nthe owner cannot be deleted from the key-value store until this\nreference is removed.\nSee https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion\nfor how the garbage collector interacts with this field and enforces the foreground deletion.\nDefaults to false.\nTo set this field, a user needs \"delete\" permission of the owner,\notherwise 422 (Unprocessable Entity) will be returned.","type":"boolean"},"controller":{"description":"If true, this reference points to the managing controller.","type":"boolean"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids","type":"string"}},"x-kubernetes-map-type":"atomic"},"results":{"description":"PolicyReportResult provides result details","type":"array","items":{"description":"PolicyReportResult provides the result for an individual policy","type":"object","required":["policy"],"properties":{"category":{"description":"Category indicates policy category","type":"string"},"message":{"description":"Description is a short user friendly message for the policy rule","type":"string"},"policy":{"description":"Policy is the name or identifier of the policy","type":"string"},"properties":{"description":"Properties provides additional information for the policy rule","type":"object","additionalProperties":{"type":"string"}},"resourceSelector":{"description":"SubjectSelector is an optional label selector for checked Kubernetes resources.\nFor example, a policy result may apply to all pods that match a label.\nEither a Subject or a SubjectSelector can be specified.\nIf neither are provided, the result is assumed to be for the policy report scope.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resources":{"description":"Subjects is an optional reference to the checked Kubernetes resources","type":"array","items":{"description":"ObjectReference contains enough information to let you inspect or modify the referred object.\n---\nNew uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.\n 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.\n 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular\n restrictions like, \"must refer only to types A and B\" or \"UID not honored\" or \"name must be restricted\".\n Those cannot be well described when embedded.\n 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.\n 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity\n during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple\n and the version of the actual struct is irrelevant.\n 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type\n will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.\n\n\nInstead of using this type, create a locally provided and used type that is well-focused on your reference.\nFor example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.\nTODO: this design is not final and this field is subject to change in the future.","type":"string"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"}},"result":{"description":"Result indicates the outcome of the policy rule execution","type":"string","enum":["pass","fail","warn","error","skip"]},"rule":{"description":"Rule is the name or identifier of the rule within the policy","type":"string"},"scored":{"description":"Scored indicates if this result is scored","type":"boolean"},"severity":{"description":"Severity indicates policy check result criticality","type":"string","enum":["critical","high","low","medium","info"]},"source":{"description":"Source is an identifier for the policy engine that manages this report","type":"string"},"timestamp":{"description":"Timestamp indicates the time the result was found","type":"object","required":["nanos","seconds"],"properties":{"nanos":{"description":"Non-negative fractions of a second at nanosecond resolution. Negative\nsecond values with fractions must still have non-negative nanos values\nthat count forward in time. Must be from 0 to 999,999,999\ninclusive. This field may be limited in precision depending on context.","type":"integer","format":"int32"},"seconds":{"description":"Represents seconds of UTC time since Unix epoch\n1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to\n9999-12-31T23:59:59Z inclusive.","type":"integer","format":"int64"}}}}}},"summary":{"description":"PolicyReportSummary provides a summary of results","type":"object","properties":{"error":{"description":"Error provides the count of policies that could not be evaluated","type":"integer"},"fail":{"description":"Fail provides the count of policies whose requirements were not met","type":"integer"},"pass":{"description":"Pass provides the count of policies whose requirements were met","type":"integer"},"skip":{"description":"Skip indicates the count of policies that were not selected for evaluation","type":"integer"},"warn":{"description":"Warn provides the count of non-scored policies whose requirements were not met","type":"integer"}}}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"AdmissionReport","version":"v2"}]},"io.kyverno.v2.AdmissionReportList":{"description":"AdmissionReportList is a list of AdmissionReport","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of admissionreports. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2.AdmissionReport"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"AdmissionReportList","version":"v2"}]},"io.kyverno.v2.BackgroundScanReport":{"description":"BackgroundScanReport is the Schema for the BackgroundScanReports API","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","properties":{"results":{"description":"PolicyReportResult provides result details","type":"array","items":{"description":"PolicyReportResult provides the result for an individual policy","type":"object","required":["policy"],"properties":{"category":{"description":"Category indicates policy category","type":"string"},"message":{"description":"Description is a short user friendly message for the policy rule","type":"string"},"policy":{"description":"Policy is the name or identifier of the policy","type":"string"},"properties":{"description":"Properties provides additional information for the policy rule","type":"object","additionalProperties":{"type":"string"}},"resourceSelector":{"description":"SubjectSelector is an optional label selector for checked Kubernetes resources.\nFor example, a policy result may apply to all pods that match a label.\nEither a Subject or a SubjectSelector can be specified.\nIf neither are provided, the result is assumed to be for the policy report scope.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resources":{"description":"Subjects is an optional reference to the checked Kubernetes resources","type":"array","items":{"description":"ObjectReference contains enough information to let you inspect or modify the referred object.\n---\nNew uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.\n 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.\n 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular\n restrictions like, \"must refer only to types A and B\" or \"UID not honored\" or \"name must be restricted\".\n Those cannot be well described when embedded.\n 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.\n 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity\n during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple\n and the version of the actual struct is irrelevant.\n 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type\n will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.\n\n\nInstead of using this type, create a locally provided and used type that is well-focused on your reference.\nFor example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.\nTODO: this design is not final and this field is subject to change in the future.","type":"string"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"}},"result":{"description":"Result indicates the outcome of the policy rule execution","type":"string","enum":["pass","fail","warn","error","skip"]},"rule":{"description":"Rule is the name or identifier of the rule within the policy","type":"string"},"scored":{"description":"Scored indicates if this result is scored","type":"boolean"},"severity":{"description":"Severity indicates policy check result criticality","type":"string","enum":["critical","high","low","medium","info"]},"source":{"description":"Source is an identifier for the policy engine that manages this report","type":"string"},"timestamp":{"description":"Timestamp indicates the time the result was found","type":"object","required":["nanos","seconds"],"properties":{"nanos":{"description":"Non-negative fractions of a second at nanosecond resolution. Negative\nsecond values with fractions must still have non-negative nanos values\nthat count forward in time. Must be from 0 to 999,999,999\ninclusive. This field may be limited in precision depending on context.","type":"integer","format":"int32"},"seconds":{"description":"Represents seconds of UTC time since Unix epoch\n1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to\n9999-12-31T23:59:59Z inclusive.","type":"integer","format":"int64"}}}}}},"summary":{"description":"PolicyReportSummary provides a summary of results","type":"object","properties":{"error":{"description":"Error provides the count of policies that could not be evaluated","type":"integer"},"fail":{"description":"Fail provides the count of policies whose requirements were not met","type":"integer"},"pass":{"description":"Pass provides the count of policies whose requirements were met","type":"integer"},"skip":{"description":"Skip indicates the count of policies that were not selected for evaluation","type":"integer"},"warn":{"description":"Warn provides the count of non-scored policies whose requirements were not met","type":"integer"}}}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"BackgroundScanReport","version":"v2"}]},"io.kyverno.v2.BackgroundScanReportList":{"description":"BackgroundScanReportList is a list of BackgroundScanReport","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of backgroundscanreports. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2.BackgroundScanReport"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"BackgroundScanReportList","version":"v2"}]},"io.kyverno.v2.CleanupPolicy":{"description":"CleanupPolicy defines a rule for resource cleanup.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy behaviors.","type":"object","required":["schedule"],"properties":{"conditions":{"description":"Conditions defines the conditions used to select the resources which will be cleaned up.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exclude":{"description":"ExcludeResources defines when cleanuppolicy should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"match":{"description":"MatchResources defines when cleanuppolicy should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"schedule":{"description":"The schedule in Cron format","type":"string"}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"lastExecutionTime":{"type":"string","format":"date-time"}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2"}]},"io.kyverno.v2.CleanupPolicyList":{"description":"CleanupPolicyList is a list of CleanupPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of cleanuppolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2.CleanupPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"CleanupPolicyList","version":"v2"}]},"io.kyverno.v2.ClusterAdmissionReport":{"description":"ClusterAdmissionReport is the Schema for the ClusterAdmissionReports API","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","required":["owner"],"properties":{"owner":{"description":"Owner is a reference to the report owner (e.g. a Deployment, Namespace, or Node)","type":"object","required":["apiVersion","kind","name","uid"],"properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"blockOwnerDeletion":{"description":"If true, AND if the owner has the \"foregroundDeletion\" finalizer, then\nthe owner cannot be deleted from the key-value store until this\nreference is removed.\nSee https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion\nfor how the garbage collector interacts with this field and enforces the foreground deletion.\nDefaults to false.\nTo set this field, a user needs \"delete\" permission of the owner,\notherwise 422 (Unprocessable Entity) will be returned.","type":"boolean"},"controller":{"description":"If true, this reference points to the managing controller.","type":"boolean"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids","type":"string"}},"x-kubernetes-map-type":"atomic"},"results":{"description":"PolicyReportResult provides result details","type":"array","items":{"description":"PolicyReportResult provides the result for an individual policy","type":"object","required":["policy"],"properties":{"category":{"description":"Category indicates policy category","type":"string"},"message":{"description":"Description is a short user friendly message for the policy rule","type":"string"},"policy":{"description":"Policy is the name or identifier of the policy","type":"string"},"properties":{"description":"Properties provides additional information for the policy rule","type":"object","additionalProperties":{"type":"string"}},"resourceSelector":{"description":"SubjectSelector is an optional label selector for checked Kubernetes resources.\nFor example, a policy result may apply to all pods that match a label.\nEither a Subject or a SubjectSelector can be specified.\nIf neither are provided, the result is assumed to be for the policy report scope.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resources":{"description":"Subjects is an optional reference to the checked Kubernetes resources","type":"array","items":{"description":"ObjectReference contains enough information to let you inspect or modify the referred object.\n---\nNew uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.\n 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.\n 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular\n restrictions like, \"must refer only to types A and B\" or \"UID not honored\" or \"name must be restricted\".\n Those cannot be well described when embedded.\n 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.\n 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity\n during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple\n and the version of the actual struct is irrelevant.\n 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type\n will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.\n\n\nInstead of using this type, create a locally provided and used type that is well-focused on your reference.\nFor example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.\nTODO: this design is not final and this field is subject to change in the future.","type":"string"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"}},"result":{"description":"Result indicates the outcome of the policy rule execution","type":"string","enum":["pass","fail","warn","error","skip"]},"rule":{"description":"Rule is the name or identifier of the rule within the policy","type":"string"},"scored":{"description":"Scored indicates if this result is scored","type":"boolean"},"severity":{"description":"Severity indicates policy check result criticality","type":"string","enum":["critical","high","low","medium","info"]},"source":{"description":"Source is an identifier for the policy engine that manages this report","type":"string"},"timestamp":{"description":"Timestamp indicates the time the result was found","type":"object","required":["nanos","seconds"],"properties":{"nanos":{"description":"Non-negative fractions of a second at nanosecond resolution. Negative\nsecond values with fractions must still have non-negative nanos values\nthat count forward in time. Must be from 0 to 999,999,999\ninclusive. This field may be limited in precision depending on context.","type":"integer","format":"int32"},"seconds":{"description":"Represents seconds of UTC time since Unix epoch\n1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to\n9999-12-31T23:59:59Z inclusive.","type":"integer","format":"int64"}}}}}},"summary":{"description":"PolicyReportSummary provides a summary of results","type":"object","properties":{"error":{"description":"Error provides the count of policies that could not be evaluated","type":"integer"},"fail":{"description":"Fail provides the count of policies whose requirements were not met","type":"integer"},"pass":{"description":"Pass provides the count of policies whose requirements were met","type":"integer"},"skip":{"description":"Skip indicates the count of policies that were not selected for evaluation","type":"integer"},"warn":{"description":"Warn provides the count of non-scored policies whose requirements were not met","type":"integer"}}}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterAdmissionReport","version":"v2"}]},"io.kyverno.v2.ClusterAdmissionReportList":{"description":"ClusterAdmissionReportList is a list of ClusterAdmissionReport","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clusteradmissionreports. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2.ClusterAdmissionReport"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterAdmissionReportList","version":"v2"}]},"io.kyverno.v2.ClusterBackgroundScanReport":{"description":"ClusterBackgroundScanReport is the Schema for the ClusterBackgroundScanReports API","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"type":"object","properties":{"results":{"description":"PolicyReportResult provides result details","type":"array","items":{"description":"PolicyReportResult provides the result for an individual policy","type":"object","required":["policy"],"properties":{"category":{"description":"Category indicates policy category","type":"string"},"message":{"description":"Description is a short user friendly message for the policy rule","type":"string"},"policy":{"description":"Policy is the name or identifier of the policy","type":"string"},"properties":{"description":"Properties provides additional information for the policy rule","type":"object","additionalProperties":{"type":"string"}},"resourceSelector":{"description":"SubjectSelector is an optional label selector for checked Kubernetes resources.\nFor example, a policy result may apply to all pods that match a label.\nEither a Subject or a SubjectSelector can be specified.\nIf neither are provided, the result is assumed to be for the policy report scope.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resources":{"description":"Subjects is an optional reference to the checked Kubernetes resources","type":"array","items":{"description":"ObjectReference contains enough information to let you inspect or modify the referred object.\n---\nNew uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.\n 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.\n 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular\n restrictions like, \"must refer only to types A and B\" or \"UID not honored\" or \"name must be restricted\".\n Those cannot be well described when embedded.\n 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.\n 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity\n during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple\n and the version of the actual struct is irrelevant.\n 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type\n will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.\n\n\nInstead of using this type, create a locally provided and used type that is well-focused on your reference.\nFor example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.\nTODO: this design is not final and this field is subject to change in the future.","type":"string"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"}},"result":{"description":"Result indicates the outcome of the policy rule execution","type":"string","enum":["pass","fail","warn","error","skip"]},"rule":{"description":"Rule is the name or identifier of the rule within the policy","type":"string"},"scored":{"description":"Scored indicates if this result is scored","type":"boolean"},"severity":{"description":"Severity indicates policy check result criticality","type":"string","enum":["critical","high","low","medium","info"]},"source":{"description":"Source is an identifier for the policy engine that manages this report","type":"string"},"timestamp":{"description":"Timestamp indicates the time the result was found","type":"object","required":["nanos","seconds"],"properties":{"nanos":{"description":"Non-negative fractions of a second at nanosecond resolution. Negative\nsecond values with fractions must still have non-negative nanos values\nthat count forward in time. Must be from 0 to 999,999,999\ninclusive. This field may be limited in precision depending on context.","type":"integer","format":"int32"},"seconds":{"description":"Represents seconds of UTC time since Unix epoch\n1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to\n9999-12-31T23:59:59Z inclusive.","type":"integer","format":"int64"}}}}}},"summary":{"description":"PolicyReportSummary provides a summary of results","type":"object","properties":{"error":{"description":"Error provides the count of policies that could not be evaluated","type":"integer"},"fail":{"description":"Fail provides the count of policies whose requirements were not met","type":"integer"},"pass":{"description":"Pass provides the count of policies whose requirements were met","type":"integer"},"skip":{"description":"Skip indicates the count of policies that were not selected for evaluation","type":"integer"},"warn":{"description":"Warn provides the count of non-scored policies whose requirements were not met","type":"integer"}}}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterBackgroundScanReport","version":"v2"}]},"io.kyverno.v2.ClusterBackgroundScanReportList":{"description":"ClusterBackgroundScanReportList is a list of ClusterBackgroundScanReport","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clusterbackgroundscanreports. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2.ClusterBackgroundScanReport"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterBackgroundScanReportList","version":"v2"}]},"io.kyverno.v2.ClusterCleanupPolicy":{"description":"ClusterCleanupPolicy defines rule for resource cleanup.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy behaviors.","type":"object","required":["schedule"],"properties":{"conditions":{"description":"Conditions defines the conditions used to select the resources which will be cleaned up.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exclude":{"description":"ExcludeResources defines when cleanuppolicy should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"match":{"description":"MatchResources defines when cleanuppolicy should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"schedule":{"description":"The schedule in Cron format","type":"string"}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"lastExecutionTime":{"type":"string","format":"date-time"}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2"}]},"io.kyverno.v2.ClusterCleanupPolicyList":{"description":"ClusterCleanupPolicyList is a list of ClusterCleanupPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clustercleanuppolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2.ClusterCleanupPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterCleanupPolicyList","version":"v2"}]},"io.kyverno.v2.PolicyException":{"description":"PolicyException declares resources to be excluded from specified policies.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy exception behaviors.","type":"object","required":["exceptions","match"],"properties":{"background":{"description":"Background controls if exceptions are applied to existing policies during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"},"conditions":{"description":"Conditions are used to determine if a resource applies to the exception by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exceptions":{"description":"Exceptions is a list policy/rules to be excluded","type":"array","items":{"description":"Exception stores infos about a policy and rules","type":"object","required":["policyName","ruleNames"],"properties":{"policyName":{"description":"PolicyName identifies the policy to which the exception is applied.\nThe policy name uses the format / unless it\nreferences a ClusterPolicy.","type":"string"},"ruleNames":{"description":"RuleNames identifies the rules to which the exception is applied.","type":"array","items":{"type":"string"}}}}},"match":{"description":"Match defines match clause used to check if a resource applies to the exception","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"podSecurity":{"description":"PodSecurity specifies the Pod Security Standard controls to be excluded.\nApplicable only to policies that have validate.podSecurity subrule.","type":"array","items":{"description":"PodSecurityStandard specifies the Pod Security Standard controls to be excluded.","type":"object","required":["controlName"],"properties":{"controlName":{"description":"ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/","type":"string","enum":["HostProcess","Host Namespaces","Privileged Containers","Capabilities","HostPath Volumes","Host Ports","AppArmor","SELinux","/proc Mount Type","Seccomp","Sysctls","Volume Types","Privilege Escalation","Running as Non-root","Running as Non-root user"]},"images":{"description":"Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"restrictedField":{"description":"RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.","type":"string"},"values":{"description":"Values defines the allowed values that can be excluded.","type":"array","items":{"type":"string"}}}}}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"PolicyException","version":"v2"}]},"io.kyverno.v2.PolicyExceptionList":{"description":"PolicyExceptionList is a list of PolicyException","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of policyexceptions. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2.PolicyException"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"PolicyExceptionList","version":"v2"}]},"io.kyverno.v2.UpdateRequest":{"description":"UpdateRequest is a request to process mutate and generate rules in background.","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"ResourceSpec is the information to identify the trigger resource.","type":"object","required":["context","deleteDownstream","policy","resource","rule"],"properties":{"context":{"description":"Context ...","type":"object","properties":{"admissionRequestInfo":{"description":"AdmissionRequestInfoObject stores the admission request and operation details","type":"object","properties":{"admissionRequest":{"description":"AdmissionRequest describes the admission.Attributes for the admission request.","type":"object","required":["kind","operation","resource","uid","userInfo"],"properties":{"dryRun":{"description":"DryRun indicates that modifications will definitely not be persisted for this request.\nDefaults to false.","type":"boolean"},"kind":{"description":"Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)","type":"object","required":["group","kind","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"version":{"type":"string"}}},"name":{"description":"Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and\nrely on the server to generate the name. If that is the case, this field will contain an empty string.","type":"string"},"namespace":{"description":"Namespace is the namespace associated with the request (if any).","type":"string"},"object":{"description":"Object is the object from the incoming request.","x-kubernetes-preserve-unknown-fields":true},"oldObject":{"description":"OldObject is the existing object. Only populated for DELETE and UPDATE requests.","x-kubernetes-preserve-unknown-fields":true},"operation":{"description":"Operation is the operation being performed. This may be different than the operation\nrequested. e.g. a patch can result in either a CREATE or UPDATE Operation.","type":"string"},"options":{"description":"Options is the operation option structure of the operation being performed.\ne.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be\ndifferent than the options the caller provided. e.g. for a patch request the performed\nOperation might be a CREATE, in which case the Options will a\n`meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.","x-kubernetes-preserve-unknown-fields":true},"requestKind":{"description":"RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).\nIf this is specified and differs from the value in \"kind\", an equivalent match and conversion was performed.\n\n\nFor example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of\n`apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`,\nan API request to apps/v1beta1 deployments would be converted and sent to the webhook\nwith `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` (matching the rule the webhook registered for),\nand `requestKind: {group:\"apps\", version:\"v1beta1\", kind:\"Deployment\"}` (indicating the kind of the original API request).\n\n\nSee documentation for the \"matchPolicy\" field in the webhook configuration type for more details.","type":"object","required":["group","kind","version"],"properties":{"group":{"type":"string"},"kind":{"type":"string"},"version":{"type":"string"}}},"requestResource":{"description":"RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).\nIf this is specified and differs from the value in \"resource\", an equivalent match and conversion was performed.\n\n\nFor example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of\n`apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`,\nan API request to apps/v1beta1 deployments would be converted and sent to the webhook\nwith `resource: {group:\"apps\", version:\"v1\", resource:\"deployments\"}` (matching the resource the webhook registered for),\nand `requestResource: {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` (indicating the resource of the original API request).\n\n\nSee documentation for the \"matchPolicy\" field in the webhook configuration type.","type":"object","required":["group","resource","version"],"properties":{"group":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}},"requestSubResource":{"description":"RequestSubResource is the name of the subresource of the original API request, if any (for example, \"status\" or \"scale\")\nIf this is specified and differs from the value in \"subResource\", an equivalent match and conversion was performed.\nSee documentation for the \"matchPolicy\" field in the webhook configuration type.","type":"string"},"resource":{"description":"Resource is the fully-qualified resource being requested (for example, v1.pods)","type":"object","required":["group","resource","version"],"properties":{"group":{"type":"string"},"resource":{"type":"string"},"version":{"type":"string"}}},"subResource":{"description":"SubResource is the subresource being requested, if any (for example, \"status\" or \"scale\")","type":"string"},"uid":{"description":"UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are\notherwise identical (parallel requests, requests when earlier requests did not modify etc)\nThe UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.\nIt is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.","type":"string"},"userInfo":{"description":"UserInfo is information about the requesting user","type":"object","properties":{"extra":{"description":"Any additional information provided by the authenticator.","type":"object","additionalProperties":{"description":"ExtraValue masks the value so protobuf can generate","type":"array","items":{"type":"string"}}},"groups":{"description":"The names of groups this user is a part of.","type":"array","items":{"type":"string"}},"uid":{"description":"A unique value that identifies this user across time. If this user is\ndeleted and another user by the same name is added, they will have\ndifferent UIDs.","type":"string"},"username":{"description":"The name that uniquely identifies this user among all active users.","type":"string"}}}}},"operation":{"description":"Operation is the type of resource operation being checked for admission control","type":"string"}}},"userInfo":{"description":"RequestInfo contains permission info carried in an admission request.","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is a list of possible clusterRoles send the request."},"roles":{"description":"Roles is a list of possible role send the request."},"userInfo":{"description":"UserInfo is the userInfo carried in the admission request.","type":"object","properties":{"extra":{"description":"Any additional information provided by the authenticator.","type":"object","additionalProperties":{"description":"ExtraValue masks the value so protobuf can generate","type":"array","items":{"type":"string"}}},"groups":{"description":"The names of groups this user is a part of.","type":"array","items":{"type":"string"}},"uid":{"description":"A unique value that identifies this user across time. If this user is\ndeleted and another user by the same name is added, they will have\ndifferent UIDs.","type":"string"},"username":{"description":"The name that uniquely identifies this user among all active users.","type":"string"}}}}}}},"deleteDownstream":{"description":"DeleteDownstream represents whether the downstream needs to be deleted.","type":"boolean"},"policy":{"description":"Specifies the name of the policy.","type":"string"},"requestType":{"description":"Type represents request type for background processing","type":"string","enum":["mutate","generate"]},"resource":{"description":"ResourceSpec is the information to identify the trigger resource.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}},"rule":{"description":"Rule is the associate rule name of the current UR.","type":"string"},"synchronize":{"description":"Synchronize represents the sync behavior of the corresponding rule\nOptional. Defaults to \"false\" if not specified.","type":"boolean"}}},"status":{"description":"Status contains statistics related to update request.","type":"object","required":["state"],"properties":{"generatedResources":{"description":"This will track the resources that are updated by the generate Policy.\nWill be used during clean up resources.","type":"array","items":{"type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}},"message":{"description":"Specifies request status message.","type":"string"},"retryCount":{"type":"integer"},"state":{"description":"State represents state of the update request.","type":"string"}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"UpdateRequest","version":"v2"}]},"io.kyverno.v2.UpdateRequestList":{"description":"UpdateRequestList is a list of UpdateRequest","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of updaterequests. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2.UpdateRequest"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"UpdateRequestList","version":"v2"}]},"io.kyverno.v2beta1.CleanupPolicy":{"description":"CleanupPolicy defines a rule for resource cleanup.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy behaviors.","type":"object","required":["schedule"],"properties":{"conditions":{"description":"Conditions defines the conditions used to select the resources which will be cleaned up.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exclude":{"description":"ExcludeResources defines when cleanuppolicy should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"match":{"description":"MatchResources defines when cleanuppolicy should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"schedule":{"description":"The schedule in Cron format","type":"string"}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"lastExecutionTime":{"type":"string","format":"date-time"}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"CleanupPolicy","version":"v2beta1"}]},"io.kyverno.v2beta1.CleanupPolicyList":{"description":"CleanupPolicyList is a list of CleanupPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of cleanuppolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2beta1.CleanupPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"CleanupPolicyList","version":"v2beta1"}]},"io.kyverno.v2beta1.ClusterCleanupPolicy":{"description":"ClusterCleanupPolicy defines rule for resource cleanup.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy behaviors.","type":"object","required":["schedule"],"properties":{"conditions":{"description":"Conditions defines the conditions used to select the resources which will be cleaned up.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exclude":{"description":"ExcludeResources defines when cleanuppolicy should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"match":{"description":"MatchResources defines when cleanuppolicy should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"schedule":{"description":"The schedule in Cron format","type":"string"}}},"status":{"description":"Status contains policy runtime data.","type":"object","properties":{"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"lastExecutionTime":{"type":"string","format":"date-time"}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterCleanupPolicy","version":"v2beta1"}]},"io.kyverno.v2beta1.ClusterCleanupPolicyList":{"description":"ClusterCleanupPolicyList is a list of ClusterCleanupPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clustercleanuppolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterCleanupPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterCleanupPolicyList","version":"v2beta1"}]},"io.kyverno.v2beta1.ClusterPolicy":{"description":"ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy behaviors.","type":"object","properties":{"admission":{"description":"Admission controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"},"applyRules":{"description":"ApplyRules controls how rules in a policy are applied. Rule are processed in\nthe order of declaration. When set to `One` processing stops after a rule has\nbeen applied i.e. the rule matches and results in a pass, fail, or error. When\nset to `All` all rules in the policy are processed. The default is `All`.","type":"string","enum":["All","One"]},"background":{"description":"Background controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"},"failurePolicy":{"description":"FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.\nRules within the same policy share the same failure behavior.\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"generateExisting":{"description":"GenerateExisting controls whether to trigger generate rule in existing resources\nIf is set to \"true\" generate rule will be triggered and applied to existing matched resources.\nDefaults to \"false\" if not specified.","type":"boolean"},"generateExistingOnPolicyUpdate":{"description":"Deprecated, use generateExisting instead","type":"boolean"},"mutateExistingOnPolicyUpdate":{"description":"MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.\nDefault value is \"false\".","type":"boolean"},"rules":{"description":"Rules is a list of Rule instances. A Policy contains multiple rules and\neach rule can validate, mutate, or generate resources.","type":"array","items":{"description":"Rule defines a validation, mutation, or generation control for matching resources.\nEach rules contains a match declaration to select resources, and an optional exclude\ndeclaration to specify which resources to exclude.","type":"object","required":["name"],"properties":{"celPreconditions":{"description":"CELPreconditions are used to determine if a policy rule should be applied by evaluating a\nset of CEL conditions. It can only be used with the validate.cel subrule","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\n\nRequired.","type":"string"}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exclude":{"description":"ExcludeResources defines when this policy rule should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"generate":{"description":"Generation is used to create new resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nSee https://kyverno.io/docs/writing-policies/generate/#data-examples.\nDefaults to \"false\" if not specified.","type":"boolean"},"synchronize":{"description":"Synchronize controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}},"imageExtractors":{"description":"ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.\nThis config is only valid for verifyImages rules.","type":"object","additionalProperties":{"type":"array","items":{"type":"object","required":["path"],"properties":{"jmesPath":{"description":"JMESPath is an optional JMESPath expression to apply to the image value.\nThis is useful when the extracted image begins with a prefix like 'docker://'.\nThe 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').\nNote - Image digest mutation may not be used when applying a JMESPAth to an image.","type":"string"},"key":{"description":"Key is an optional name of the field within 'path' that will be used to uniquely identify an image.\nNote - this field MUST be unique.","type":"string"},"name":{"description":"Name is the entry the image will be available under 'images.' in the context.\nIf this field is not defined, image entries will appear under 'images.custom'.","type":"string"},"path":{"description":"Path is the path to the object containing the image field in a custom resource.\nIt should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.\nWildcard keys are expanded in case of arrays or objects.","type":"string"},"value":{"description":"Value is an optional name of the field within 'path' that points to the image URI.\nThis is useful when a custom 'key' is also defined.","type":"string"}}}}},"match":{"description":"MatchResources defines when this policy rule should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"mutate":{"description":"Mutation is used to modify matching resources.","type":"object","properties":{"foreach":{"description":"ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"order":{"description":"Order defines the iteration order on the list.\nCan be Ascending to iterate from first to last element or Descending to iterate in from last to first element.","type":"string","enum":["Ascending","Descending"]},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.","type":"string"},"targets":{"description":"Targets defines the target resources to be mutated.","type":"array","items":{"description":"TargetResourceSpec defines targets for mutating existing resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}}}},"name":{"description":"Name is a label to identify the rule, It must be unique within the policy.","type":"string","maxLength":63},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}},"skipBackgroundRequests":{"description":"SkipBackgroundRequests bypasses admission requests that are sent by the background controller.\nThe default value is set to \"true\", it must be set to \"false\" to apply\ngenerate and mutateExisting rules to those requests.","type":"boolean"},"validate":{"description":"Validation is used to validate matching resources.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"cel":{"description":"CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).","type":"object","properties":{"auditAnnotations":{"description":"AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\n\nRequired.","type":"string"}}}},"expressions":{"description":"Expressions is a list of CELExpression types.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}}},"paramKind":{"description":"ParamKind is a tuple of Group Kind and Version.","type":"object","properties":{"apiVersion":{"description":"APIVersion is the API group version the resources belong to.\nIn format of \"group/version\".\nRequired.","type":"string"},"kind":{"description":"Kind is the API kind the resources belong to.\nRequired.","type":"string"}},"x-kubernetes-map-type":"atomic"},"paramRef":{"description":"ParamRef references a parameter resource.","type":"object","properties":{"name":{"description":"`name` is the name of the resource being referenced.\n\n\n`name` and `selector` are mutually exclusive properties. If one is set,\nthe other must be unset.","type":"string"},"namespace":{"description":"namespace is the namespace of the referenced resource. Allows limiting\nthe search for params to a specific namespace. Applies to both `name` and\n`selector` fields.\n\n\nA per-namespace parameter may be used by specifying a namespace-scoped\n`paramKind` in the policy and leaving this field empty.\n\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this\nfield results in a configuration error.\n\n\n- If `paramKind` is namespace-scoped, the namespace of the object being\nevaluated for admission will be used when this field is left unset. Take\ncare that if this is left empty the binding must not match any cluster-scoped\nresources, which will result in an error.","type":"string"},"parameterNotFoundAction":{"description":"`parameterNotFoundAction` controls the behavior of the binding when the resource\nexists, and name or selector is valid, but there are no parameters\nmatched by the binding. If the value is set to `Allow`, then no\nmatched parameters will be treated as successful validation by the binding.\nIf set to `Deny`, then no matched parameters will be subject to the\n`failurePolicy` of the policy.\n\n\nAllowed values are `Allow` or `Deny`\nDefault to `Deny`","type":"string"},"selector":{"description":"selector can be used to match multiple param objects based on their labels.\nSupply selector: {} to match all resources of the ParamKind.\n\n\nIf multiple params are found, they are all evaluated with the policy expressions\nand the results are ANDed together.\n\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}}}},"foreach":{"description":"ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"elementScope":{"description":"ElementScope specifies whether to use the current list element as the scope for validation. Defaults to \"true\" if not specified.\nWhen set to \"false\", \"request.object\" is used as the validation scope within the foreach\nblock to allow referencing other elements in the subtree.","type":"boolean"},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"manifests":{"description":"Manifest specifies conditions for manifest verification","type":"object","properties":{"annotationDomain":{"description":"AnnotationDomain is custom domain of annotation for message and signature. Default is \"cosign.sigstore.dev\".","type":"string"},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"dryRun":{"description":"DryRun configuration","type":"object","properties":{"enable":{"type":"boolean"},"namespace":{"type":"string"}}},"ignoreFields":{"description":"Fields which will be ignored while comparing manifests.","type":"array","items":{"type":"object","properties":{"fields":{"type":"array","items":{"type":"string"}},"objects":{"type":"array","items":{"type":"object","properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for resource bundle reference.\nThe repository can be overridden per Attestor or Attestation.","type":"string"}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"podSecurity":{"description":"PodSecurity applies exemptions for Kubernetes Pod Security admission\nby specifying exclusions for Pod Security Standards controls.","type":"object","properties":{"exclude":{"description":"Exclude specifies the Pod Security Standard controls to be excluded.","type":"array","items":{"description":"PodSecurityStandard specifies the Pod Security Standard controls to be excluded.","type":"object","required":["controlName"],"properties":{"controlName":{"description":"ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/","type":"string","enum":["HostProcess","Host Namespaces","Privileged Containers","Capabilities","HostPath Volumes","Host Ports","AppArmor","SELinux","/proc Mount Type","Seccomp","Sysctls","Volume Types","Privilege Escalation","Running as Non-root","Running as Non-root user"]},"images":{"description":"Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"restrictedField":{"description":"RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.","type":"string"},"values":{"description":"Values defines the allowed values that can be excluded.","type":"array","items":{"type":"string"}}}}},"level":{"description":"Level defines the Pod Security Standard level to be applied to workloads.\nAllowed values are privileged, baseline, and restricted.","type":"string","enum":["privileged","baseline","restricted"]},"version":{"description":"Version defines the Pod Security Standard versions that Kubernetes supports.\nAllowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.","type":"string","enum":["v1.19","v1.20","v1.21","v1.22","v1.23","v1.24","v1.25","v1.26","v1.27","v1.28","v1.29","latest"]}}}}},"verifyImages":{"description":"VerifyImages is used to verify image signatures and mutate them to add a digest","type":"array","items":{"description":"ImageVerification validates that images that match the specified pattern\nare signed with the supplied public key. Once the image is verified it is\nmutated to include the SHA digest retrieved during the registration.","type":"object","properties":{"attestations":{"description":"Attestations are optional checks for signed in-toto Statements used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statement declarations.","type":"array","items":{"description":"Attestation are checks for signed in-toto Statements that are used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statements.","type":"object","properties":{"attestors":{"description":"Attestors specify the required attestors (i.e. authorities).","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"conditions":{"description":"Conditions are used to verify attributes within a Predicate. If no Conditions are specified\nthe attestation check is satisfied as long there are predicates that match the predicate type.","type":"array","items":{"description":"AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.\nAnyConditions get fulfilled when at least one of its sub-conditions passes.\nAllConditions get fulfilled only when all of its sub-conditions pass.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}}},"predicateType":{"description":"Deprecated in favour of 'Type', to be removed soon","type":"string"},"type":{"description":"Type defines the type of attestation contained within the Statement.","type":"string"}}}},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"imageReferences":{"description":"ImageReferences is a list of matching image reference patterns. At least one pattern in the\nlist must match the image for the rule to apply. Each image reference consists of a registry\naddress (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"repository":{"description":"Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.\nIf specified Repository will override the default OCI image repository configured for the installation.\nThe repository can also be overridden per Attestor or Attestation.","type":"string"},"required":{"description":"Required validates that images are verified i.e. have matched passed a signature or attestation check.","type":"boolean"},"skipImageReferences":{"description":"SkipImageReferences is a list of matching image reference patterns that should be skipped.\nAt least one pattern in the list must match the image for the rule to be skipped. Each image reference\nconsists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"type":{"description":"Type specifies the method of signature validation. The allowed options\nare Cosign and Notary. By default Cosign is used if a type is not specified.","type":"string","enum":["Cosign","Notary"]},"useCache":{"description":"UseCache enables caching of image verify responses for this rule","type":"boolean"},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}}}}}},"schemaValidation":{"description":"Deprecated.","type":"boolean"},"useServerSideApply":{"description":"UseServerSideApply controls whether to use server-side apply for generate rules\nIf is set to \"true\" create & update for generate rules will use apply instead of create/update.\nDefaults to \"false\" if not specified.","type":"boolean"},"validationFailureAction":{"description":"ValidationFailureAction defines if a validation policy rule violation should block\nthe admission review request (enforce), or allow (audit) the admission review request\nand report an error in a policy report. Optional.\nAllowed values are audit or enforce. The default value is \"Audit\".","type":"string","enum":["audit","enforce","Audit","Enforce"]},"validationFailureActionOverrides":{"description":"ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction\nnamespace-wise. It overrides ValidationFailureAction for the specified namespaces.","type":"array","items":{"type":"object","properties":{"action":{"description":"ValidationFailureAction defines the policy validation failure action","type":"string","enum":["audit","enforce","Audit","Enforce"]},"namespaceSelector":{"description":"A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"}}}}},"webhookConfiguration":{"description":"WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.\nRequires Kubernetes 1.27 or later.","type":"object","properties":{"matchConditions":{"description":"MatchCondition configures admission webhook matchConditions.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\n\nRequired.","type":"string"}}}}}},"webhookTimeoutSeconds":{"description":"WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}},"status":{"description":"Status contains policy runtime data.","type":"object","required":["ready"],"properties":{"autogen":{"description":"AutogenStatus contains autogen status information.","type":"object","properties":{"rules":{"description":"Rules is a list of Rule instances. It contains auto generated rules added for pod controllers","type":"array","items":{"description":"Rule defines a validation, mutation, or generation control for matching resources.\nEach rules contains a match declaration to select resources, and an optional exclude\ndeclaration to specify which resources to exclude.","type":"object","required":["name"],"properties":{"celPreconditions":{"description":"CELPreconditions are used to determine if a policy rule should be applied by evaluating a\nset of CEL conditions. It can only be used with the validate.cel subrule","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\n\nRequired.","type":"string"}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exclude":{"description":"ExcludeResources defines when this policy rule should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"generate":{"description":"Generation is used to create new resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nSee https://kyverno.io/docs/writing-policies/generate/#data-examples.\nDefaults to \"false\" if not specified.","type":"boolean"},"synchronize":{"description":"Synchronize controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}},"imageExtractors":{"description":"ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.\nThis config is only valid for verifyImages rules.","type":"object","additionalProperties":{"type":"array","items":{"type":"object","required":["path"],"properties":{"jmesPath":{"description":"JMESPath is an optional JMESPath expression to apply to the image value.\nThis is useful when the extracted image begins with a prefix like 'docker://'.\nThe 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').\nNote - Image digest mutation may not be used when applying a JMESPAth to an image.","type":"string"},"key":{"description":"Key is an optional name of the field within 'path' that will be used to uniquely identify an image.\nNote - this field MUST be unique.","type":"string"},"name":{"description":"Name is the entry the image will be available under 'images.' in the context.\nIf this field is not defined, image entries will appear under 'images.custom'.","type":"string"},"path":{"description":"Path is the path to the object containing the image field in a custom resource.\nIt should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.\nWildcard keys are expanded in case of arrays or objects.","type":"string"},"value":{"description":"Value is an optional name of the field within 'path' that points to the image URI.\nThis is useful when a custom 'key' is also defined.","type":"string"}}}}},"match":{"description":"MatchResources defines when this policy rule should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"mutate":{"description":"Mutation is used to modify matching resources.","type":"object","properties":{"foreach":{"description":"ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"order":{"description":"Order defines the iteration order on the list.\nCan be Ascending to iterate from first to last element or Descending to iterate in from last to first element.","type":"string","enum":["Ascending","Descending"]},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.","type":"string"},"targets":{"description":"Targets defines the target resources to be mutated.","type":"array","items":{"description":"TargetResourceSpec defines targets for mutating existing resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}}}},"name":{"description":"Name is a label to identify the rule, It must be unique within the policy.","type":"string","maxLength":63},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"skipBackgroundRequests":{"description":"SkipBackgroundRequests bypasses admission requests that are sent by the background controller.\nThe default value is set to \"true\", it must be set to \"false\" to apply\ngenerate and mutateExisting rules to those requests.","type":"boolean"},"validate":{"description":"Validation is used to validate matching resources.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"cel":{"description":"CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).","type":"object","properties":{"auditAnnotations":{"description":"AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\n\nRequired.","type":"string"}}}},"expressions":{"description":"Expressions is a list of CELExpression types.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}}},"paramKind":{"description":"ParamKind is a tuple of Group Kind and Version.","type":"object","properties":{"apiVersion":{"description":"APIVersion is the API group version the resources belong to.\nIn format of \"group/version\".\nRequired.","type":"string"},"kind":{"description":"Kind is the API kind the resources belong to.\nRequired.","type":"string"}},"x-kubernetes-map-type":"atomic"},"paramRef":{"description":"ParamRef references a parameter resource.","type":"object","properties":{"name":{"description":"`name` is the name of the resource being referenced.\n\n\n`name` and `selector` are mutually exclusive properties. If one is set,\nthe other must be unset.","type":"string"},"namespace":{"description":"namespace is the namespace of the referenced resource. Allows limiting\nthe search for params to a specific namespace. Applies to both `name` and\n`selector` fields.\n\n\nA per-namespace parameter may be used by specifying a namespace-scoped\n`paramKind` in the policy and leaving this field empty.\n\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this\nfield results in a configuration error.\n\n\n- If `paramKind` is namespace-scoped, the namespace of the object being\nevaluated for admission will be used when this field is left unset. Take\ncare that if this is left empty the binding must not match any cluster-scoped\nresources, which will result in an error.","type":"string"},"parameterNotFoundAction":{"description":"`parameterNotFoundAction` controls the behavior of the binding when the resource\nexists, and name or selector is valid, but there are no parameters\nmatched by the binding. If the value is set to `Allow`, then no\nmatched parameters will be treated as successful validation by the binding.\nIf set to `Deny`, then no matched parameters will be subject to the\n`failurePolicy` of the policy.\n\n\nAllowed values are `Allow` or `Deny`\nDefault to `Deny`","type":"string"},"selector":{"description":"selector can be used to match multiple param objects based on their labels.\nSupply selector: {} to match all resources of the ParamKind.\n\n\nIf multiple params are found, they are all evaluated with the policy expressions\nand the results are ANDed together.\n\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"foreach":{"description":"ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"elementScope":{"description":"ElementScope specifies whether to use the current list element as the scope for validation. Defaults to \"true\" if not specified.\nWhen set to \"false\", \"request.object\" is used as the validation scope within the foreach\nblock to allow referencing other elements in the subtree.","type":"boolean"},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"manifests":{"description":"Manifest specifies conditions for manifest verification","type":"object","properties":{"annotationDomain":{"description":"AnnotationDomain is custom domain of annotation for message and signature. Default is \"cosign.sigstore.dev\".","type":"string"},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"dryRun":{"description":"DryRun configuration","type":"object","properties":{"enable":{"type":"boolean"},"namespace":{"type":"string"}}},"ignoreFields":{"description":"Fields which will be ignored while comparing manifests.","type":"array","items":{"type":"object","properties":{"fields":{"type":"array","items":{"type":"string"}},"objects":{"type":"array","items":{"type":"object","properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for resource bundle reference.\nThe repository can be overridden per Attestor or Attestation.","type":"string"}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"podSecurity":{"description":"PodSecurity applies exemptions for Kubernetes Pod Security admission\nby specifying exclusions for Pod Security Standards controls.","type":"object","properties":{"exclude":{"description":"Exclude specifies the Pod Security Standard controls to be excluded.","type":"array","items":{"description":"PodSecurityStandard specifies the Pod Security Standard controls to be excluded.","type":"object","required":["controlName"],"properties":{"controlName":{"description":"ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/","type":"string","enum":["HostProcess","Host Namespaces","Privileged Containers","Capabilities","HostPath Volumes","Host Ports","AppArmor","SELinux","/proc Mount Type","Seccomp","Sysctls","Volume Types","Privilege Escalation","Running as Non-root","Running as Non-root user"]},"images":{"description":"Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"restrictedField":{"description":"RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.","type":"string"},"values":{"description":"Values defines the allowed values that can be excluded.","type":"array","items":{"type":"string"}}}}},"level":{"description":"Level defines the Pod Security Standard level to be applied to workloads.\nAllowed values are privileged, baseline, and restricted.","type":"string","enum":["privileged","baseline","restricted"]},"version":{"description":"Version defines the Pod Security Standard versions that Kubernetes supports.\nAllowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.","type":"string","enum":["v1.19","v1.20","v1.21","v1.22","v1.23","v1.24","v1.25","v1.26","v1.27","v1.28","v1.29","latest"]}}}}},"verifyImages":{"description":"VerifyImages is used to verify image signatures and mutate them to add a digest","type":"array","items":{"description":"ImageVerification validates that images that match the specified pattern\nare signed with the supplied public key. Once the image is verified it is\nmutated to include the SHA digest retrieved during the registration.","type":"object","properties":{"additionalExtensions":{"description":"Deprecated.","type":"object","additionalProperties":{"type":"string"}},"annotations":{"description":"Deprecated. Use annotations per Attestor instead.","type":"object","additionalProperties":{"type":"string"}},"attestations":{"description":"Attestations are optional checks for signed in-toto Statements used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statement declarations.","type":"array","items":{"description":"Attestation are checks for signed in-toto Statements that are used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statements.","type":"object","properties":{"attestors":{"description":"Attestors specify the required attestors (i.e. authorities).","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"conditions":{"description":"Conditions are used to verify attributes within a Predicate. If no Conditions are specified\nthe attestation check is satisfied as long there are predicates that match the predicate type.","type":"array","items":{"description":"AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.\nAnyConditions get fulfilled when at least one of its sub-conditions passes.\nAllConditions get fulfilled only when all of its sub-conditions pass.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}}},"predicateType":{"description":"Deprecated in favour of 'Type', to be removed soon","type":"string"},"type":{"description":"Type defines the type of attestation contained within the Statement.","type":"string"}}}},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"image":{"description":"Deprecated. Use ImageReferences instead.","type":"string"},"imageReferences":{"description":"ImageReferences is a list of matching image reference patterns. At least one pattern in the\nlist must match the image for the rule to apply. Each image reference consists of a registry\naddress (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"issuer":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"key":{"description":"Deprecated. Use StaticKeyAttestor instead.","type":"string"},"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"repository":{"description":"Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.\nIf specified Repository will override the default OCI image repository configured for the installation.\nThe repository can also be overridden per Attestor or Attestation.","type":"string"},"required":{"description":"Required validates that images are verified i.e. have matched passed a signature or attestation check.","type":"boolean"},"roots":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"skipImageReferences":{"description":"SkipImageReferences is a list of matching image reference patterns that should be skipped.\nAt least one pattern in the list must match the image for the rule to be skipped. Each image reference\nconsists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"subject":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"type":{"description":"Type specifies the method of signature validation. The allowed options\nare Cosign and Notary. By default Cosign is used if a type is not specified.","type":"string","enum":["Cosign","Notary"]},"useCache":{"description":"UseCache enables caching of image verify responses for this rule.","type":"boolean"},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}}}}}}}},"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"ready":{"description":"Deprecated in favor of Conditions","type":"boolean"},"rulecount":{"description":"RuleCountStatus contains four variables which describes counts for\nvalidate, generate, mutate and verify images rules","type":"object","required":["generate","mutate","validate","verifyimages"],"properties":{"generate":{"description":"Count for generate rules in policy","type":"integer"},"mutate":{"description":"Count for mutate rules in policy","type":"integer"},"validate":{"description":"Count for validate rules in policy","type":"integer"},"verifyimages":{"description":"Count for verify image rules in policy","type":"integer"}}},"validatingadmissionpolicy":{"description":"ValidatingAdmissionPolicy contains status information","type":"object","required":["generated","message"],"properties":{"generated":{"description":"Generated indicates whether a validating admission policy is generated from the policy or not","type":"boolean"},"message":{"description":"Message is a human readable message indicating details about the generation of validating admission policy\nIt is an empty string when validating admission policy is successfully generated.","type":"string"}}}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterPolicy","version":"v2beta1"}]},"io.kyverno.v2beta1.ClusterPolicyList":{"description":"ClusterPolicyList is a list of ClusterPolicy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clusterpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2beta1.ClusterPolicy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"ClusterPolicyList","version":"v2beta1"}]},"io.kyverno.v2beta1.Policy":{"description":"Policy declares validation, mutation, and generation behaviors for matching resources.\nSee: https://kyverno.io/docs/writing-policies/ for more information.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec defines policy behaviors and contains one or more rules.","type":"object","properties":{"admission":{"description":"Admission controls if rules are applied during admission.\nOptional. Default value is \"true\".","type":"boolean"},"applyRules":{"description":"ApplyRules controls how rules in a policy are applied. Rule are processed in\nthe order of declaration. When set to `One` processing stops after a rule has\nbeen applied i.e. the rule matches and results in a pass, fail, or error. When\nset to `All` all rules in the policy are processed. The default is `All`.","type":"string","enum":["All","One"]},"background":{"description":"Background controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"},"failurePolicy":{"description":"FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.\nRules within the same policy share the same failure behavior.\nAllowed values are Ignore or Fail. Defaults to Fail.","type":"string","enum":["Ignore","Fail"]},"generateExisting":{"description":"GenerateExisting controls whether to trigger generate rule in existing resources\nIf is set to \"true\" generate rule will be triggered and applied to existing matched resources.\nDefaults to \"false\" if not specified.","type":"boolean"},"generateExistingOnPolicyUpdate":{"description":"Deprecated, use generateExisting instead","type":"boolean"},"mutateExistingOnPolicyUpdate":{"description":"MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.\nDefault value is \"false\".","type":"boolean"},"rules":{"description":"Rules is a list of Rule instances. A Policy contains multiple rules and\neach rule can validate, mutate, or generate resources.","type":"array","items":{"description":"Rule defines a validation, mutation, or generation control for matching resources.\nEach rules contains a match declaration to select resources, and an optional exclude\ndeclaration to specify which resources to exclude.","type":"object","required":["name"],"properties":{"celPreconditions":{"description":"CELPreconditions are used to determine if a policy rule should be applied by evaluating a\nset of CEL conditions. It can only be used with the validate.cel subrule","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\n\nRequired.","type":"string"}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exclude":{"description":"ExcludeResources defines when this policy rule should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"generate":{"description":"Generation is used to create new resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nSee https://kyverno.io/docs/writing-policies/generate/#data-examples.\nDefaults to \"false\" if not specified.","type":"boolean"},"synchronize":{"description":"Synchronize controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}},"imageExtractors":{"description":"ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.\nThis config is only valid for verifyImages rules.","type":"object","additionalProperties":{"type":"array","items":{"type":"object","required":["path"],"properties":{"jmesPath":{"description":"JMESPath is an optional JMESPath expression to apply to the image value.\nThis is useful when the extracted image begins with a prefix like 'docker://'.\nThe 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').\nNote - Image digest mutation may not be used when applying a JMESPAth to an image.","type":"string"},"key":{"description":"Key is an optional name of the field within 'path' that will be used to uniquely identify an image.\nNote - this field MUST be unique.","type":"string"},"name":{"description":"Name is the entry the image will be available under 'images.' in the context.\nIf this field is not defined, image entries will appear under 'images.custom'.","type":"string"},"path":{"description":"Path is the path to the object containing the image field in a custom resource.\nIt should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.\nWildcard keys are expanded in case of arrays or objects.","type":"string"},"value":{"description":"Value is an optional name of the field within 'path' that points to the image URI.\nThis is useful when a custom 'key' is also defined.","type":"string"}}}}},"match":{"description":"MatchResources defines when this policy rule should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"mutate":{"description":"Mutation is used to modify matching resources.","type":"object","properties":{"foreach":{"description":"ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"order":{"description":"Order defines the iteration order on the list.\nCan be Ascending to iterate from first to last element or Descending to iterate in from last to first element.","type":"string","enum":["Ascending","Descending"]},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.","type":"string"},"targets":{"description":"Targets defines the target resources to be mutated.","type":"array","items":{"description":"TargetResourceSpec defines targets for mutating existing resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}}}},"name":{"description":"Name is a label to identify the rule, It must be unique within the policy.","type":"string","maxLength":63},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}},"skipBackgroundRequests":{"description":"SkipBackgroundRequests bypasses admission requests that are sent by the background controller.\nThe default value is set to \"true\", it must be set to \"false\" to apply\ngenerate and mutateExisting rules to those requests.","type":"boolean"},"validate":{"description":"Validation is used to validate matching resources.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"cel":{"description":"CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).","type":"object","properties":{"auditAnnotations":{"description":"AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\n\nRequired.","type":"string"}}}},"expressions":{"description":"Expressions is a list of CELExpression types.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}}},"paramKind":{"description":"ParamKind is a tuple of Group Kind and Version.","type":"object","properties":{"apiVersion":{"description":"APIVersion is the API group version the resources belong to.\nIn format of \"group/version\".\nRequired.","type":"string"},"kind":{"description":"Kind is the API kind the resources belong to.\nRequired.","type":"string"}},"x-kubernetes-map-type":"atomic"},"paramRef":{"description":"ParamRef references a parameter resource.","type":"object","properties":{"name":{"description":"`name` is the name of the resource being referenced.\n\n\n`name` and `selector` are mutually exclusive properties. If one is set,\nthe other must be unset.","type":"string"},"namespace":{"description":"namespace is the namespace of the referenced resource. Allows limiting\nthe search for params to a specific namespace. Applies to both `name` and\n`selector` fields.\n\n\nA per-namespace parameter may be used by specifying a namespace-scoped\n`paramKind` in the policy and leaving this field empty.\n\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this\nfield results in a configuration error.\n\n\n- If `paramKind` is namespace-scoped, the namespace of the object being\nevaluated for admission will be used when this field is left unset. Take\ncare that if this is left empty the binding must not match any cluster-scoped\nresources, which will result in an error.","type":"string"},"parameterNotFoundAction":{"description":"`parameterNotFoundAction` controls the behavior of the binding when the resource\nexists, and name or selector is valid, but there are no parameters\nmatched by the binding. If the value is set to `Allow`, then no\nmatched parameters will be treated as successful validation by the binding.\nIf set to `Deny`, then no matched parameters will be subject to the\n`failurePolicy` of the policy.\n\n\nAllowed values are `Allow` or `Deny`\nDefault to `Deny`","type":"string"},"selector":{"description":"selector can be used to match multiple param objects based on their labels.\nSupply selector: {} to match all resources of the ParamKind.\n\n\nIf multiple params are found, they are all evaluated with the policy expressions\nand the results are ANDed together.\n\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}}}},"foreach":{"description":"ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"elementScope":{"description":"ElementScope specifies whether to use the current list element as the scope for validation. Defaults to \"true\" if not specified.\nWhen set to \"false\", \"request.object\" is used as the validation scope within the foreach\nblock to allow referencing other elements in the subtree.","type":"boolean"},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"manifests":{"description":"Manifest specifies conditions for manifest verification","type":"object","properties":{"annotationDomain":{"description":"AnnotationDomain is custom domain of annotation for message and signature. Default is \"cosign.sigstore.dev\".","type":"string"},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"dryRun":{"description":"DryRun configuration","type":"object","properties":{"enable":{"type":"boolean"},"namespace":{"type":"string"}}},"ignoreFields":{"description":"Fields which will be ignored while comparing manifests.","type":"array","items":{"type":"object","properties":{"fields":{"type":"array","items":{"type":"string"}},"objects":{"type":"array","items":{"type":"object","properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for resource bundle reference.\nThe repository can be overridden per Attestor or Attestation.","type":"string"}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"podSecurity":{"description":"PodSecurity applies exemptions for Kubernetes Pod Security admission\nby specifying exclusions for Pod Security Standards controls.","type":"object","properties":{"exclude":{"description":"Exclude specifies the Pod Security Standard controls to be excluded.","type":"array","items":{"description":"PodSecurityStandard specifies the Pod Security Standard controls to be excluded.","type":"object","required":["controlName"],"properties":{"controlName":{"description":"ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/","type":"string","enum":["HostProcess","Host Namespaces","Privileged Containers","Capabilities","HostPath Volumes","Host Ports","AppArmor","SELinux","/proc Mount Type","Seccomp","Sysctls","Volume Types","Privilege Escalation","Running as Non-root","Running as Non-root user"]},"images":{"description":"Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"restrictedField":{"description":"RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.","type":"string"},"values":{"description":"Values defines the allowed values that can be excluded.","type":"array","items":{"type":"string"}}}}},"level":{"description":"Level defines the Pod Security Standard level to be applied to workloads.\nAllowed values are privileged, baseline, and restricted.","type":"string","enum":["privileged","baseline","restricted"]},"version":{"description":"Version defines the Pod Security Standard versions that Kubernetes supports.\nAllowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.","type":"string","enum":["v1.19","v1.20","v1.21","v1.22","v1.23","v1.24","v1.25","v1.26","v1.27","v1.28","v1.29","latest"]}}}}},"verifyImages":{"description":"VerifyImages is used to verify image signatures and mutate them to add a digest","type":"array","items":{"description":"ImageVerification validates that images that match the specified pattern\nare signed with the supplied public key. Once the image is verified it is\nmutated to include the SHA digest retrieved during the registration.","type":"object","properties":{"attestations":{"description":"Attestations are optional checks for signed in-toto Statements used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statement declarations.","type":"array","items":{"description":"Attestation are checks for signed in-toto Statements that are used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statements.","type":"object","properties":{"attestors":{"description":"Attestors specify the required attestors (i.e. authorities).","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"conditions":{"description":"Conditions are used to verify attributes within a Predicate. If no Conditions are specified\nthe attestation check is satisfied as long there are predicates that match the predicate type.","type":"array","items":{"description":"AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.\nAnyConditions get fulfilled when at least one of its sub-conditions passes.\nAllConditions get fulfilled only when all of its sub-conditions pass.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}}},"predicateType":{"description":"Deprecated in favour of 'Type', to be removed soon","type":"string"},"type":{"description":"Type defines the type of attestation contained within the Statement.","type":"string"}}}},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"imageReferences":{"description":"ImageReferences is a list of matching image reference patterns. At least one pattern in the\nlist must match the image for the rule to apply. Each image reference consists of a registry\naddress (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"repository":{"description":"Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.\nIf specified Repository will override the default OCI image repository configured for the installation.\nThe repository can also be overridden per Attestor or Attestation.","type":"string"},"required":{"description":"Required validates that images are verified i.e. have matched passed a signature or attestation check.","type":"boolean"},"skipImageReferences":{"description":"SkipImageReferences is a list of matching image reference patterns that should be skipped.\nAt least one pattern in the list must match the image for the rule to be skipped. Each image reference\nconsists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"type":{"description":"Type specifies the method of signature validation. The allowed options\nare Cosign and Notary. By default Cosign is used if a type is not specified.","type":"string","enum":["Cosign","Notary"]},"useCache":{"description":"UseCache enables caching of image verify responses for this rule","type":"boolean"},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}}}}}},"schemaValidation":{"description":"Deprecated.","type":"boolean"},"useServerSideApply":{"description":"UseServerSideApply controls whether to use server-side apply for generate rules\nIf is set to \"true\" create & update for generate rules will use apply instead of create/update.\nDefaults to \"false\" if not specified.","type":"boolean"},"validationFailureAction":{"description":"ValidationFailureAction defines if a validation policy rule violation should block\nthe admission review request (enforce), or allow (audit) the admission review request\nand report an error in a policy report. Optional.\nAllowed values are audit or enforce. The default value is \"Audit\".","type":"string","enum":["audit","enforce","Audit","Enforce"]},"validationFailureActionOverrides":{"description":"ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction\nnamespace-wise. It overrides ValidationFailureAction for the specified namespaces.","type":"array","items":{"type":"object","properties":{"action":{"description":"ValidationFailureAction defines the policy validation failure action","type":"string","enum":["audit","enforce","Audit","Enforce"]},"namespaceSelector":{"description":"A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"type":"array","items":{"type":"string"}}}}},"webhookConfiguration":{"description":"WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.\nRequires Kubernetes 1.27 or later.","type":"object","properties":{"matchConditions":{"description":"MatchCondition configures admission webhook matchConditions.","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\n\nRequired.","type":"string"}}}}}},"webhookTimeoutSeconds":{"description":"WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.","type":"integer","format":"int32"}}},"status":{"description":"Status contains policy runtime data.","type":"object","required":["ready"],"properties":{"autogen":{"description":"AutogenStatus contains autogen status information.","type":"object","properties":{"rules":{"description":"Rules is a list of Rule instances. It contains auto generated rules added for pod controllers","type":"array","items":{"description":"Rule defines a validation, mutation, or generation control for matching resources.\nEach rules contains a match declaration to select resources, and an optional exclude\ndeclaration to specify which resources to exclude.","type":"object","required":["name"],"properties":{"celPreconditions":{"description":"CELPreconditions are used to determine if a policy rule should be applied by evaluating a\nset of CEL conditions. It can only be used with the validate.cel subrule","type":"array","items":{"description":"MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\n\nRequired.","type":"string"},"name":{"description":"Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\n\nRequired.","type":"string"}}}},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exclude":{"description":"ExcludeResources defines when this policy rule should not be applied. The exclude\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the name or role.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"generate":{"description":"Generation is used to create new resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"clone":{"description":"Clone specifies the source resource used to populate each generated resource.\nAt most one of Data or Clone can be specified. If neither are provided, the generated\nresource will be created with default data only.","type":"object","properties":{"name":{"description":"Name specifies name of the resource.","type":"string"},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"}}},"cloneList":{"description":"CloneList specifies the list of source resource used to populate each generated resource.","type":"object","properties":{"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"namespace":{"description":"Namespace specifies source resource namespace.","type":"string"},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels`.\nwildcard characters are not supported.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"data":{"description":"Data provides the resource declaration used to populate each generated resource.\nAt most one of Data or Clone must be specified. If neither are provided, the generated\nresource will be created with default data only.","x-kubernetes-preserve-unknown-fields":true},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"orphanDownstreamOnPolicyDelete":{"description":"OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated\nthem is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.\nSee https://kyverno.io/docs/writing-policies/generate/#data-examples.\nDefaults to \"false\" if not specified.","type":"boolean"},"synchronize":{"description":"Synchronize controls if generated resources should be kept in-sync with their source resource.\nIf Synchronize is set to \"true\" changes to generated resources will be overwritten with resource\ndata from Data or the resource specified in the Clone declaration.\nOptional. Defaults to \"false\" if not specified.","type":"boolean"},"uid":{"description":"UID specifies the resource uid.","type":"string"}}},"imageExtractors":{"description":"ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.\nThis config is only valid for verifyImages rules.","type":"object","additionalProperties":{"type":"array","items":{"type":"object","required":["path"],"properties":{"jmesPath":{"description":"JMESPath is an optional JMESPath expression to apply to the image value.\nThis is useful when the extracted image begins with a prefix like 'docker://'.\nThe 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').\nNote - Image digest mutation may not be used when applying a JMESPAth to an image.","type":"string"},"key":{"description":"Key is an optional name of the field within 'path' that will be used to uniquely identify an image.\nNote - this field MUST be unique.","type":"string"},"name":{"description":"Name is the entry the image will be available under 'images.' in the context.\nIf this field is not defined, image entries will appear under 'images.custom'.","type":"string"},"path":{"description":"Path is the path to the object containing the image field in a custom resource.\nIt should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.\nWildcard keys are expanded in case of arrays or objects.","type":"string"},"value":{"description":"Value is an optional name of the field within 'path' that points to the image URI.\nThis is useful when a custom 'key' is also defined.","type":"string"}}}}},"match":{"description":"MatchResources defines when this policy rule should be applied. The match\ncriteria can include resource information (e.g. kind, name, namespace, labels)\nand admission review request information like the user name or role.\nAt least one kind is required.","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.\nRequires at least one tag to be specified when under MatchResources.\nSpecifying ResourceDescription directly under match is being deprecated.\nPlease specify under \"any\" or \"all\" instead.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}},"mutate":{"description":"Mutation is used to modify matching resources.","type":"object","properties":{"foreach":{"description":"ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"order":{"description":"Order defines the iteration order on the list.\nCan be Ascending to iterate from first to last element or Descending to iterate in from last to first element.","type":"string","enum":["Ascending","Descending"]},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.","type":"string"},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"patchStrategicMerge":{"description":"PatchStrategicMerge is a strategic merge patch used to modify resources.\nSee https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/\nand https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.","x-kubernetes-preserve-unknown-fields":true},"patchesJson6902":{"description":"PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.\nSee https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.","type":"string"},"targets":{"description":"Targets defines the target resources to be mutated.","type":"array","items":{"description":"TargetResourceSpec defines targets for mutating existing resources.","type":"object","properties":{"apiVersion":{"description":"APIVersion specifies resource apiVersion.","type":"string"},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"kind":{"description":"Kind specifies resource kind.","type":"string"},"name":{"description":"Name specifies the resource name.","type":"string"},"namespace":{"description":"Namespace specifies resource namespace.","type":"string"},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"uid":{"description":"UID specifies the resource uid.","type":"string"}}}}}},"name":{"description":"Name is a label to identify the rule, It must be unique within the policy.","type":"string","maxLength":63},"preconditions":{"description":"Preconditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements. A direct list\nof conditions (without `any` or `all` statements is supported for backwards compatibility but\nwill be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true},"skipBackgroundRequests":{"description":"SkipBackgroundRequests bypasses admission requests that are sent by the background controller.\nThe default value is set to \"true\", it must be set to \"false\" to apply\ngenerate and mutateExisting rules to those requests.","type":"boolean"},"validate":{"description":"Validation is used to validate matching resources.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"cel":{"description":"CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).","type":"object","properties":{"auditAnnotations":{"description":"AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.","type":"array","items":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","type":"object","required":["key","valueExpression"],"properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\n\nRequired.","type":"string"}}}},"expressions":{"description":"Expressions is a list of CELExpression types.","type":"array","items":{"description":"Validation specifies the CEL expression which is used to apply the validation.","type":"object","required":["expression"],"properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}}},"paramKind":{"description":"ParamKind is a tuple of Group Kind and Version.","type":"object","properties":{"apiVersion":{"description":"APIVersion is the API group version the resources belong to.\nIn format of \"group/version\".\nRequired.","type":"string"},"kind":{"description":"Kind is the API kind the resources belong to.\nRequired.","type":"string"}},"x-kubernetes-map-type":"atomic"},"paramRef":{"description":"ParamRef references a parameter resource.","type":"object","properties":{"name":{"description":"`name` is the name of the resource being referenced.\n\n\n`name` and `selector` are mutually exclusive properties. If one is set,\nthe other must be unset.","type":"string"},"namespace":{"description":"namespace is the namespace of the referenced resource. Allows limiting\nthe search for params to a specific namespace. Applies to both `name` and\n`selector` fields.\n\n\nA per-namespace parameter may be used by specifying a namespace-scoped\n`paramKind` in the policy and leaving this field empty.\n\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this\nfield results in a configuration error.\n\n\n- If `paramKind` is namespace-scoped, the namespace of the object being\nevaluated for admission will be used when this field is left unset. Take\ncare that if this is left empty the binding must not match any cluster-scoped\nresources, which will result in an error.","type":"string"},"parameterNotFoundAction":{"description":"`parameterNotFoundAction` controls the behavior of the binding when the resource\nexists, and name or selector is valid, but there are no parameters\nmatched by the binding. If the value is set to `Allow`, then no\nmatched parameters will be treated as successful validation by the binding.\nIf set to `Deny`, then no matched parameters will be subject to the\n`failurePolicy` of the policy.\n\n\nAllowed values are `Allow` or `Deny`\nDefault to `Deny`","type":"string"},"selector":{"description":"selector can be used to match multiple param objects based on their labels.\nSupply selector: {} to match all resources of the ParamKind.\n\n\nIf multiple params are found, they are all evaluated with the policy expressions\nand the results are ANDed together.\n\n\nOne of `name` or `selector` must be set, but `name` and `selector` are\nmutually exclusive properties. If one is set, the other must be unset.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}},"x-kubernetes-map-type":"atomic"},"variables":{"description":"Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.\nThe variables defined here will be available under `variables` in other expressions of the policy.","type":"array","items":{"description":"Variable is the definition of a variable that is used for composition.","type":"object","required":["expression","name"],"properties":{"expression":{"description":"Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.","type":"string"},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"foreach":{"description":"ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"array","items":{"description":"ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.","type":"object","properties":{"anyPattern":{"description":"AnyPattern specifies list of validation patterns. At least one of the patterns\nmust be satisfied for the validation rule to succeed.","x-kubernetes-preserve-unknown-fields":true},"context":{"description":"Context defines variables and data sources that can be used during rule execution.","type":"array","items":{"description":"ContextEntry adds variables and data sources to a rule Context. Either a\nConfigMap reference or a APILookup must be provided.","type":"object","properties":{"apiCall":{"description":"APICall is an HTTP request to the Kubernetes API server, or other JSON web service.\nThe data returned is stored in the context with the name for the context entry.","type":"object","properties":{"data":{"description":"The data object specifies the POST data sent to the server.\nOnly applicable when the method field is set to POST.","type":"array","items":{"description":"RequestData contains the HTTP POST data","type":"object","required":["key","value"],"properties":{"key":{"description":"Key is a unique identifier for the data value","type":"string"},"value":{"description":"Value is the data value","x-kubernetes-preserve-unknown-fields":true}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"method":{"description":"Method is the HTTP request type (GET or POST).","type":"string","enum":["GET","POST"]},"service":{"description":"Service is an API call to a JSON web service.\nThis is used for non-Kubernetes API server calls.\nIt's mutually exclusive with the URLPath field.","type":"object","required":["url"],"properties":{"caBundle":{"description":"CABundle is a PEM encoded CA bundle which will be used to validate\nthe server certificate.","type":"string"},"url":{"description":"URL is the JSON web service URL. A typical form is\n`https://{service}.{namespace}:{port}/{path}`.","type":"string"}}},"urlPath":{"description":"URLPath is the URL path to be used in the HTTP GET or POST request to the\nKubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\").\nThe format required is the same format used by the `kubectl get --raw` command.\nSee https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls\nfor details.\nIt's mutually exclusive with the Service field.","type":"string"}}},"configMap":{"description":"ConfigMap is the ConfigMap reference.","type":"object","required":["name"],"properties":{"name":{"description":"Name is the ConfigMap name.","type":"string"},"namespace":{"description":"Namespace is the ConfigMap namespace.","type":"string"}}},"globalReference":{"description":"GlobalContextEntryReference is a reference to a cached global context entry.","type":"object","properties":{"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the JSON response returned from the server. For example\na JMESPath of \"items | length(@)\" applied to the API server response\nfor the URLPath \"/apis/apps/v1/deployments\" will return the total count\nof deployments across all namespaces.","type":"string"},"name":{"description":"Name of the global context entry","type":"string"}}},"imageRegistry":{"description":"ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image\ndetails.","type":"object","required":["reference"],"properties":{"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"jmesPath":{"description":"JMESPath is an optional JSON Match Expression that can be used to\ntransform the ImageData struct returned as a result of processing\nthe image reference.","type":"string"},"reference":{"description":"Reference is image reference to a container image in the registry.\nExample: ghcr.io/kyverno/kyverno:latest","type":"string"}}},"name":{"description":"Name is the variable name.","type":"string"},"variable":{"description":"Variable defines an arbitrary JMESPath context variable that can be defined inline.","type":"object","properties":{"default":{"description":"Default is an optional arbitrary JSON object that the variable may take if the JMESPath\nexpression evaluates to nil","x-kubernetes-preserve-unknown-fields":true},"jmesPath":{"description":"JMESPath is an optional JMESPath Expression that can be used to\ntransform the variable.","type":"string"},"value":{"description":"Value is any arbitrary JSON object representable in YAML or JSON form.","x-kubernetes-preserve-unknown-fields":true}}}}}},"deny":{"description":"Deny defines conditions used to pass or fail a validation rule.","type":"object","properties":{"conditions":{"description":"Multiple conditions can be declared under an `any` or `all` statement. A direct list\nof conditions (without `any` or `all` statements) is also supported for backwards compatibility\nbut will be deprecated in the next major release.\nSee: https://kyverno.io/docs/writing-policies/validate/#deny-rules","x-kubernetes-preserve-unknown-fields":true}}},"elementScope":{"description":"ElementScope specifies whether to use the current list element as the scope for validation. Defaults to \"true\" if not specified.\nWhen set to \"false\", \"request.object\" is used as the validation scope within the foreach\nblock to allow referencing other elements in the subtree.","type":"boolean"},"foreach":{"description":"Foreach declares a nested foreach iterator","x-kubernetes-preserve-unknown-fields":true},"list":{"description":"List specifies a JMESPath expression that results in one or more elements\nto which the validation logic is applied.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"preconditions":{"description":"AnyAllConditions are used to determine if a policy rule should be applied by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.\nSee: https://kyverno.io/docs/writing-policies/preconditions/","x-kubernetes-preserve-unknown-fields":true}}}},"manifests":{"description":"Manifest specifies conditions for manifest verification","type":"object","properties":{"annotationDomain":{"description":"AnnotationDomain is custom domain of annotation for message and signature. Default is \"cosign.sigstore.dev\".","type":"string"},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"dryRun":{"description":"DryRun configuration","type":"object","properties":{"enable":{"type":"boolean"},"namespace":{"type":"string"}}},"ignoreFields":{"description":"Fields which will be ignored while comparing manifests.","type":"array","items":{"type":"object","properties":{"fields":{"type":"array","items":{"type":"string"}},"objects":{"type":"array","items":{"type":"object","properties":{"group":{"type":"string"},"kind":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"version":{"type":"string"}}}}}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for resource bundle reference.\nThe repository can be overridden per Attestor or Attestation.","type":"string"}}},"message":{"description":"Message specifies a custom message to be displayed on failure.","type":"string"},"pattern":{"description":"Pattern specifies an overlay-style pattern used to check resources.","x-kubernetes-preserve-unknown-fields":true},"podSecurity":{"description":"PodSecurity applies exemptions for Kubernetes Pod Security admission\nby specifying exclusions for Pod Security Standards controls.","type":"object","properties":{"exclude":{"description":"Exclude specifies the Pod Security Standard controls to be excluded.","type":"array","items":{"description":"PodSecurityStandard specifies the Pod Security Standard controls to be excluded.","type":"object","required":["controlName"],"properties":{"controlName":{"description":"ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/","type":"string","enum":["HostProcess","Host Namespaces","Privileged Containers","Capabilities","HostPath Volumes","Host Ports","AppArmor","SELinux","/proc Mount Type","Seccomp","Sysctls","Volume Types","Privilege Escalation","Running as Non-root","Running as Non-root user"]},"images":{"description":"Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"restrictedField":{"description":"RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.","type":"string"},"values":{"description":"Values defines the allowed values that can be excluded.","type":"array","items":{"type":"string"}}}}},"level":{"description":"Level defines the Pod Security Standard level to be applied to workloads.\nAllowed values are privileged, baseline, and restricted.","type":"string","enum":["privileged","baseline","restricted"]},"version":{"description":"Version defines the Pod Security Standard versions that Kubernetes supports.\nAllowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.","type":"string","enum":["v1.19","v1.20","v1.21","v1.22","v1.23","v1.24","v1.25","v1.26","v1.27","v1.28","v1.29","latest"]}}}}},"verifyImages":{"description":"VerifyImages is used to verify image signatures and mutate them to add a digest","type":"array","items":{"description":"ImageVerification validates that images that match the specified pattern\nare signed with the supplied public key. Once the image is verified it is\nmutated to include the SHA digest retrieved during the registration.","type":"object","properties":{"additionalExtensions":{"description":"Deprecated.","type":"object","additionalProperties":{"type":"string"}},"annotations":{"description":"Deprecated. Use annotations per Attestor instead.","type":"object","additionalProperties":{"type":"string"}},"attestations":{"description":"Attestations are optional checks for signed in-toto Statements used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statement declarations.","type":"array","items":{"description":"Attestation are checks for signed in-toto Statements that are used to verify the image.\nSee https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the\nOCI registry and decodes them into a list of Statements.","type":"object","properties":{"attestors":{"description":"Attestors specify the required attestors (i.e. authorities).","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"conditions":{"description":"Conditions are used to verify attributes within a Predicate. If no Conditions are specified\nthe attestation check is satisfied as long there are predicates that match the predicate type.","type":"array","items":{"description":"AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.\nAnyConditions get fulfilled when at least one of its sub-conditions passes.\nAllConditions get fulfilled only when all of its sub-conditions pass.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass","type":"array","items":{"description":"Condition defines variable-based conditional criteria for rule execution.","type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","In","AnyIn","AllIn","NotIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}}},"predicateType":{"description":"Deprecated in favour of 'Type', to be removed soon","type":"string"},"type":{"description":"Type defines the type of attestation contained within the Statement.","type":"string"}}}},"attestors":{"description":"Attestors specified the required attestors (i.e. authorities)","type":"array","items":{"type":"object","properties":{"count":{"description":"Count specifies the required number of entries that must match. If the count is null, all entries must match\n(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a\nvalue N, then N must be less than or equal to the size of entries, and at least N entries must match.","type":"integer","minimum":1},"entries":{"description":"Entries contains the available attestors. An attestor can be a static key,\nattributes for keyless verification, or a nested attestor declaration.","type":"array","items":{"type":"object","properties":{"annotations":{"description":"Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.","type":"object","additionalProperties":{"type":"string"}},"attestor":{"description":"Attestor is a nested set of Attestor used to specify a more complex set of match authorities.","x-kubernetes-preserve-unknown-fields":true},"certificates":{"description":"Certificates specifies one or more certificates.","type":"object","properties":{"cert":{"description":"Cert is an optional PEM-encoded public certificate.","type":"string"},"certChain":{"description":"CertChain is an optional PEM encoded set of certificates used to verify.","type":"string"},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}}}},"keyless":{"description":"Keyless is a set of attribute used to verify a Sigstore keyless attestor.\nSee https://github.com/sigstore/cosign/blob/main/KEYLESS.md.","type":"object","properties":{"additionalExtensions":{"description":"AdditionalExtensions are certificate-extensions used for keyless signing.","type":"object","additionalProperties":{"type":"string"}},"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"issuer":{"description":"Issuer is the certificate issuer used for keyless signing.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"roots":{"description":"Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.","type":"string"},"subject":{"description":"Subject is the verified identity used for keyless signing, for example the email address.","type":"string"}}},"keys":{"description":"Keys specifies one or more public keys.","type":"object","properties":{"ctlog":{"description":"CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate\nTimestamps (SCTs). If the value is unset, the default behavior by Cosign is used.","type":"object","properties":{"ignoreSCT":{"description":"IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.","type":"boolean"},"pubkey":{"description":"PubKey, if set, is used to validate SCTs against a custom source.","type":"string"}}},"kms":{"description":"KMS provides the URI to the public key stored in a Key Management System. See:\nhttps://github.com/sigstore/cosign/blob/main/KMS.md","type":"string"},"publicKeys":{"description":"Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly\nspecified or can be a variable reference to a key specified in a ConfigMap (see\nhttps://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret\nelsewhere in the cluster by specifying it in the format \"k8s:///\".\nThe named Secret must specify a key `cosign.pub` containing the public key used for\nverification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).\nWhen multiple keys are specified each key is processed as a separate staticKey entry\n(.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.","type":"string"},"rekor":{"description":"Rekor provides configuration for the Rekor transparency log service. If an empty object\nis provided the public instance of Rekor (https://rekor.sigstore.dev) is used.","type":"object","properties":{"ignoreTlog":{"description":"IgnoreTlog skips transparency log verification.","type":"boolean"},"pubkey":{"description":"RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.","type":"string"},"url":{"description":"URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.","type":"string"}}},"secret":{"description":"Reference to a Secret resource that contains a public key","type":"object","required":["name","namespace"],"properties":{"name":{"description":"Name of the secret. The provided secret must contain a key named cosign.pub.","type":"string"},"namespace":{"description":"Namespace name where the Secret exists.","type":"string"}}},"signatureAlgorithm":{"description":"Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.","type":"string"}}},"repository":{"description":"Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.\nIf specified Repository will override other OCI image repository locations for this Attestor.","type":"string"}}}}}}},"image":{"description":"Deprecated. Use ImageReferences instead.","type":"string"},"imageReferences":{"description":"ImageReferences is a list of matching image reference patterns. At least one pattern in the\nlist must match the image for the rule to apply. Each image reference consists of a registry\naddress (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"imageRegistryCredentials":{"description":"ImageRegistryCredentials provides credentials that will be used for authentication with registry.","type":"object","properties":{"allowInsecureRegistry":{"description":"AllowInsecureRegistry allows insecure access to a registry.","type":"boolean"},"providers":{"description":"Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.","type":"array","items":{"description":"ImageRegistryCredentialsProvidersType provides the list of credential providers required.","type":"string","enum":["default","amazon","azure","google","github"]}},"secrets":{"description":"Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.","type":"array","items":{"type":"string"}}}},"issuer":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"key":{"description":"Deprecated. Use StaticKeyAttestor instead.","type":"string"},"mutateDigest":{"description":"MutateDigest enables replacement of image tags with digests.\nDefaults to true.","type":"boolean"},"repository":{"description":"Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.\nIf specified Repository will override the default OCI image repository configured for the installation.\nThe repository can also be overridden per Attestor or Attestation.","type":"string"},"required":{"description":"Required validates that images are verified i.e. have matched passed a signature or attestation check.","type":"boolean"},"roots":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"skipImageReferences":{"description":"SkipImageReferences is a list of matching image reference patterns that should be skipped.\nAt least one pattern in the list must match the image for the rule to be skipped. Each image reference\nconsists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"subject":{"description":"Deprecated. Use KeylessAttestor instead.","type":"string"},"type":{"description":"Type specifies the method of signature validation. The allowed options\nare Cosign and Notary. By default Cosign is used if a type is not specified.","type":"string","enum":["Cosign","Notary"]},"useCache":{"description":"UseCache enables caching of image verify responses for this rule.","type":"boolean"},"verifyDigest":{"description":"VerifyDigest validates that images have a digest.","type":"boolean"}}}}}}}}},"conditions":{"type":"array","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t // other fields\n\t}","type":"object","required":["lastTransitionTime","message","reason","status","type"],"properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.","type":"string","format":"date-time"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","type":"string","maxLength":32768},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","type":"integer","format":"int64","minimum":0},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","type":"string","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"},"status":{"description":"status of the condition, one of True, False, Unknown.","type":"string","enum":["True","False","Unknown"]},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.\n---\nMany .condition.type values are consistent across resources like Available, but because arbitrary conditions can be\nuseful (see .node.status.conditions), the ability to deconflict is important.\nThe regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)","type":"string","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"}}}},"ready":{"description":"Deprecated in favor of Conditions","type":"boolean"},"rulecount":{"description":"RuleCountStatus contains four variables which describes counts for\nvalidate, generate, mutate and verify images rules","type":"object","required":["generate","mutate","validate","verifyimages"],"properties":{"generate":{"description":"Count for generate rules in policy","type":"integer"},"mutate":{"description":"Count for mutate rules in policy","type":"integer"},"validate":{"description":"Count for validate rules in policy","type":"integer"},"verifyimages":{"description":"Count for verify image rules in policy","type":"integer"}}},"validatingadmissionpolicy":{"description":"ValidatingAdmissionPolicy contains status information","type":"object","required":["generated","message"],"properties":{"generated":{"description":"Generated indicates whether a validating admission policy is generated from the policy or not","type":"boolean"},"message":{"description":"Message is a human readable message indicating details about the generation of validating admission policy\nIt is an empty string when validating admission policy is successfully generated.","type":"string"}}}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"Policy","version":"v2beta1"}]},"io.kyverno.v2beta1.PolicyException":{"description":"PolicyException declares resources to be excluded from specified policies.","type":"object","required":["spec"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"description":"Spec declares policy exception behaviors.","type":"object","required":["exceptions","match"],"properties":{"background":{"description":"Background controls if exceptions are applied to existing policies during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).","type":"boolean"},"conditions":{"description":"Conditions are used to determine if a resource applies to the exception by evaluating a\nset of conditions. The declaration can contain nested `any` or `all` statements.","type":"object","properties":{"all":{"description":"AllConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, all of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}},"any":{"description":"AnyConditions enable variable-based conditional rule execution. This is useful for\nfiner control of when an rule is applied. A condition can reference object data\nusing JMESPath notation.\nHere, at least one of the conditions need to pass.","type":"array","items":{"type":"object","properties":{"key":{"description":"Key is the context entry (using JMESPath) for conditional rule evaluation.","x-kubernetes-preserve-unknown-fields":true},"message":{"description":"Message is an optional display message","type":"string"},"operator":{"description":"Operator is the conditional operation to perform. Valid operators are:\nEquals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,\nGreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,\nDurationLessThanOrEquals, DurationLessThan","type":"string","enum":["Equals","NotEquals","AnyIn","AllIn","AnyNotIn","AllNotIn","GreaterThanOrEquals","GreaterThan","LessThanOrEquals","LessThan","DurationGreaterThanOrEquals","DurationGreaterThan","DurationLessThanOrEquals","DurationLessThan"]},"value":{"description":"Value is the conditional value, or set of values. The values can be fixed set\nor can be variables declared using JMESPath.","x-kubernetes-preserve-unknown-fields":true}}}}}},"exceptions":{"description":"Exceptions is a list policy/rules to be excluded","type":"array","items":{"description":"Exception stores infos about a policy and rules","type":"object","required":["policyName","ruleNames"],"properties":{"policyName":{"description":"PolicyName identifies the policy to which the exception is applied.\nThe policy name uses the format / unless it\nreferences a ClusterPolicy.","type":"string"},"ruleNames":{"description":"RuleNames identifies the rules to which the exception is applied.","type":"array","items":{"type":"string"}}}}},"match":{"description":"Match defines match clause used to check if a resource applies to the exception","type":"object","properties":{"all":{"description":"All allows specifying resources which will be ANDed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}},"any":{"description":"Any allows specifying resources which will be ORed","type":"array","items":{"description":"ResourceFilter allow users to \"AND\" or \"OR\" between resources","type":"object","properties":{"clusterRoles":{"description":"ClusterRoles is the list of cluster-wide role names for the user.","type":"array","items":{"type":"string"}},"resources":{"description":"ResourceDescription contains information about the resource being created or modified.","type":"object","properties":{"annotations":{"description":"Annotations is a map of annotations (key-value pairs of type string). Annotation keys\nand values support the wildcard characters \"*\" (matches zero or many characters) and\n\"?\" (matches at least one character).","type":"object","additionalProperties":{"type":"string"}},"kinds":{"description":"Kinds is a list of resource kinds.","type":"array","items":{"type":"string"}},"name":{"description":"Name is the name of the resource. The name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).\nNOTE: \"Name\" is being deprecated in favor of \"Names\".","type":"string"},"names":{"description":"Names are the names of the resources. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"namespaceSelector":{"description":"NamespaceSelector is a label selector for the resource namespace. Label keys and values\nin `matchLabels` support the wildcard characters `*` (matches zero or many characters)\nand `?` (matches one character).Wildcards allows writing label selectors like\n[\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but\ndoes not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"namespaces":{"description":"Namespaces is a list of namespaces names. Each name supports wildcard characters\n\"*\" (matches zero or many characters) and \"?\" (at least one character).","type":"array","items":{"type":"string"}},"operations":{"description":"Operations can contain values [\"CREATE, \"UPDATE\", \"CONNECT\", \"DELETE\"], which are used to match a specific action.","type":"array","items":{"description":"AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.","type":"string","enum":["CREATE","CONNECT","UPDATE","DELETE"]}},"selector":{"description":"Selector is a label selector. Label keys and values in `matchLabels` support the wildcard\ncharacters `*` (matches zero or many characters) and `?` (matches one character).\nWildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that\nusing [\"*\" : \"*\"] matches any key and value but does not match an empty label set.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"}}},"roles":{"description":"Roles is the list of namespaced role names for the user.","type":"array","items":{"type":"string"}},"subjects":{"description":"Subjects is the list of subject names like users, user groups, and service accounts.","type":"array","items":{"description":"Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,\nor a value for non-objects such as user and group names.","type":"object","required":["kind","name"],"properties":{"apiGroup":{"description":"APIGroup holds the API group of the referenced subject.\nDefaults to \"\" for ServiceAccount subjects.\nDefaults to \"rbac.authorization.k8s.io\" for User and Group subjects.","type":"string"},"kind":{"description":"Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\".\nIf the Authorizer does not recognized the kind value, the Authorizer should report an error.","type":"string"},"name":{"description":"Name of the object being referenced.","type":"string"},"namespace":{"description":"Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty\nthe Authorizer should report an error.","type":"string"}},"x-kubernetes-map-type":"atomic"}}}}}}},"podSecurity":{"description":"PodSecurity specifies the Pod Security Standard controls to be excluded.\nApplicable only to policies that have validate.podSecurity subrule.","type":"array","items":{"description":"PodSecurityStandard specifies the Pod Security Standard controls to be excluded.","type":"object","required":["controlName"],"properties":{"controlName":{"description":"ControlName specifies the name of the Pod Security Standard control.\nSee: https://kubernetes.io/docs/concepts/security/pod-security-standards/","type":"string","enum":["HostProcess","Host Namespaces","Privileged Containers","Capabilities","HostPath Volumes","Host Ports","AppArmor","SELinux","/proc Mount Type","Seccomp","Sysctls","Volume Types","Privilege Escalation","Running as Non-root","Running as Non-root user"]},"images":{"description":"Images selects matching containers and applies the container level PSS.\nEach image is the image name consisting of the registry address, repository, image, and tag.\nEmpty list matches no containers, PSS checks are applied at the pod level only.\nWildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.","type":"array","items":{"type":"string"}},"restrictedField":{"description":"RestrictedField selects the field for the given Pod Security Standard control.\nWhen not set, all restricted fields for the control are selected.","type":"string"},"values":{"description":"Values defines the allowed values that can be excluded.","type":"array","items":{"type":"string"}}}}}}}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"PolicyException","version":"v2beta1"}]},"io.kyverno.v2beta1.PolicyExceptionList":{"description":"PolicyExceptionList is a list of PolicyException","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of policyexceptions. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2beta1.PolicyException"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"PolicyExceptionList","version":"v2beta1"}]},"io.kyverno.v2beta1.PolicyList":{"description":"PolicyList is a list of Policy","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of policies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.kyverno.v2beta1.Policy"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"kyverno.io","kind":"PolicyList","version":"v2beta1"}]},"io.wgpolicyk8s.v1alpha2.ClusterPolicyReport":{"description":"ClusterPolicyReport is the Schema for the clusterpolicyreports API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"results":{"description":"PolicyReportResult provides result details","type":"array","items":{"description":"PolicyReportResult provides the result for an individual policy","type":"object","required":["policy"],"properties":{"category":{"description":"Category indicates policy category","type":"string"},"message":{"description":"Description is a short user friendly message for the policy rule","type":"string"},"policy":{"description":"Policy is the name or identifier of the policy","type":"string"},"properties":{"description":"Properties provides additional information for the policy rule","type":"object","additionalProperties":{"type":"string"}},"resourceSelector":{"description":"SubjectSelector is an optional label selector for checked Kubernetes resources.\nFor example, a policy result may apply to all pods that match a label.\nEither a Subject or a SubjectSelector can be specified.\nIf neither are provided, the result is assumed to be for the policy report scope.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resources":{"description":"Subjects is an optional reference to the checked Kubernetes resources","type":"array","items":{"description":"ObjectReference contains enough information to let you inspect or modify the referred object.\n---\nNew uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.\n 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.\n 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular\n restrictions like, \"must refer only to types A and B\" or \"UID not honored\" or \"name must be restricted\".\n Those cannot be well described when embedded.\n 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.\n 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity\n during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple\n and the version of the actual struct is irrelevant.\n 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type\n will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.\n\n\nInstead of using this type, create a locally provided and used type that is well-focused on your reference.\nFor example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.\nTODO: this design is not final and this field is subject to change in the future.","type":"string"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"}},"result":{"description":"Result indicates the outcome of the policy rule execution","type":"string","enum":["pass","fail","warn","error","skip"]},"rule":{"description":"Rule is the name or identifier of the rule within the policy","type":"string"},"scored":{"description":"Scored indicates if this result is scored","type":"boolean"},"severity":{"description":"Severity indicates policy check result criticality","type":"string","enum":["critical","high","low","medium","info"]},"source":{"description":"Source is an identifier for the policy engine that manages this report","type":"string"},"timestamp":{"description":"Timestamp indicates the time the result was found","type":"object","required":["nanos","seconds"],"properties":{"nanos":{"description":"Non-negative fractions of a second at nanosecond resolution. Negative\nsecond values with fractions must still have non-negative nanos values\nthat count forward in time. Must be from 0 to 999,999,999\ninclusive. This field may be limited in precision depending on context.","type":"integer","format":"int32"},"seconds":{"description":"Represents seconds of UTC time since Unix epoch\n1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to\n9999-12-31T23:59:59Z inclusive.","type":"integer","format":"int64"}}}}}},"scope":{"description":"Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node)","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.\nTODO: this design is not final and this field is subject to change in the future.","type":"string"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"},"scopeSelector":{"description":"ScopeSelector is an optional selector for multiple scopes (e.g. Pods).\nEither one of, or none of, but not both of, Scope or ScopeSelector should be specified.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"summary":{"description":"PolicyReportSummary provides a summary of results","type":"object","properties":{"error":{"description":"Error provides the count of policies that could not be evaluated","type":"integer"},"fail":{"description":"Fail provides the count of policies whose requirements were not met","type":"integer"},"pass":{"description":"Pass provides the count of policies whose requirements were met","type":"integer"},"skip":{"description":"Skip indicates the count of policies that were not selected for evaluation","type":"integer"},"warn":{"description":"Warn provides the count of non-scored policies whose requirements were not met","type":"integer"}}}},"x-kubernetes-group-version-kind":[{"group":"wgpolicyk8s.io","kind":"ClusterPolicyReport","version":"v1alpha2"}]},"io.wgpolicyk8s.v1alpha2.ClusterPolicyReportList":{"description":"ClusterPolicyReportList is a list of ClusterPolicyReport","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of clusterpolicyreports. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.ClusterPolicyReport"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"wgpolicyk8s.io","kind":"ClusterPolicyReportList","version":"v1alpha2"}]},"io.wgpolicyk8s.v1alpha2.PolicyReport":{"description":"PolicyReport is the Schema for the policyreports API","type":"object","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"results":{"description":"PolicyReportResult provides result details","type":"array","items":{"description":"PolicyReportResult provides the result for an individual policy","type":"object","required":["policy"],"properties":{"category":{"description":"Category indicates policy category","type":"string"},"message":{"description":"Description is a short user friendly message for the policy rule","type":"string"},"policy":{"description":"Policy is the name or identifier of the policy","type":"string"},"properties":{"description":"Properties provides additional information for the policy rule","type":"object","additionalProperties":{"type":"string"}},"resourceSelector":{"description":"SubjectSelector is an optional label selector for checked Kubernetes resources.\nFor example, a policy result may apply to all pods that match a label.\nEither a Subject or a SubjectSelector can be specified.\nIf neither are provided, the result is assumed to be for the policy report scope.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"resources":{"description":"Subjects is an optional reference to the checked Kubernetes resources","type":"array","items":{"description":"ObjectReference contains enough information to let you inspect or modify the referred object.\n---\nNew uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.\n 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.\n 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular\n restrictions like, \"must refer only to types A and B\" or \"UID not honored\" or \"name must be restricted\".\n Those cannot be well described when embedded.\n 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.\n 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity\n during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple\n and the version of the actual struct is irrelevant.\n 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type\n will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.\n\n\nInstead of using this type, create a locally provided and used type that is well-focused on your reference.\nFor example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.\nTODO: this design is not final and this field is subject to change in the future.","type":"string"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"}},"result":{"description":"Result indicates the outcome of the policy rule execution","type":"string","enum":["pass","fail","warn","error","skip"]},"rule":{"description":"Rule is the name or identifier of the rule within the policy","type":"string"},"scored":{"description":"Scored indicates if this result is scored","type":"boolean"},"severity":{"description":"Severity indicates policy check result criticality","type":"string","enum":["critical","high","low","medium","info"]},"source":{"description":"Source is an identifier for the policy engine that manages this report","type":"string"},"timestamp":{"description":"Timestamp indicates the time the result was found","type":"object","required":["nanos","seconds"],"properties":{"nanos":{"description":"Non-negative fractions of a second at nanosecond resolution. Negative\nsecond values with fractions must still have non-negative nanos values\nthat count forward in time. Must be from 0 to 999,999,999\ninclusive. This field may be limited in precision depending on context.","type":"integer","format":"int32"},"seconds":{"description":"Represents seconds of UTC time since Unix epoch\n1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to\n9999-12-31T23:59:59Z inclusive.","type":"integer","format":"int64"}}}}}},"scope":{"description":"Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node)","type":"object","properties":{"apiVersion":{"description":"API version of the referent.","type":"string"},"fieldPath":{"description":"If referring to a piece of an object instead of an entire object, this string\nshould contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].\nFor example, if the object reference is to a container within a pod, this would take on a value like:\n\"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered\nthe event) or if no container name is specified \"spec.containers[2]\" (container with\nindex 2 in this pod). This syntax is chosen only to have some well-defined way of\nreferencing a part of an object.\nTODO: this design is not final and this field is subject to change in the future.","type":"string"},"kind":{"description":"Kind of the referent.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"name":{"description":"Name of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"namespace":{"description":"Namespace of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/","type":"string"},"resourceVersion":{"description":"Specific resourceVersion to which this reference is made, if any.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"uid":{"description":"UID of the referent.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids","type":"string"}},"x-kubernetes-map-type":"atomic"},"scopeSelector":{"description":"ScopeSelector is an optional selector for multiple scopes (e.g. Pods).\nEither one of, or none of, but not both of, Scope or ScopeSelector should be specified.","type":"object","properties":{"matchExpressions":{"description":"matchExpressions is a list of label selector requirements. The requirements are ANDed.","type":"array","items":{"description":"A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.","type":"object","required":["key","operator"],"properties":{"key":{"description":"key is the label key that the selector applies to.","type":"string"},"operator":{"description":"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.","type":"string"},"values":{"description":"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.","type":"array","items":{"type":"string"}}}}},"matchLabels":{"description":"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.","type":"object","additionalProperties":{"type":"string"}}},"x-kubernetes-map-type":"atomic"},"summary":{"description":"PolicyReportSummary provides a summary of results","type":"object","properties":{"error":{"description":"Error provides the count of policies that could not be evaluated","type":"integer"},"fail":{"description":"Fail provides the count of policies whose requirements were not met","type":"integer"},"pass":{"description":"Pass provides the count of policies whose requirements were met","type":"integer"},"skip":{"description":"Skip indicates the count of policies that were not selected for evaluation","type":"integer"},"warn":{"description":"Warn provides the count of non-scored policies whose requirements were not met","type":"integer"}}}},"x-kubernetes-group-version-kind":[{"group":"wgpolicyk8s.io","kind":"PolicyReport","version":"v1alpha2"}]},"io.wgpolicyk8s.v1alpha2.PolicyReportList":{"description":"PolicyReportList is a list of PolicyReport","type":"object","required":["items"],"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of policyreports. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","type":"array","items":{"$ref":"#/definitions/io.wgpolicyk8s.v1alpha2.PolicyReport"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}},"x-kubernetes-group-version-kind":[{"group":"wgpolicyk8s.io","kind":"PolicyReportList","version":"v1alpha2"}]}},"parameters":{"allowWatchBookmarks-HC2hJt-J":{"uniqueItems":true,"type":"boolean","description":"allowWatchBookmarks requests watch events with type \"BOOKMARK\". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored.","name":"allowWatchBookmarks","in":"query"},"body-2Y1dVQaQ":{"name":"body","in":"body","schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"}},"body-78PwaGsr":{"name":"body","in":"body","required":true,"schema":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Patch"}},"command-Py3eQybp":{"uniqueItems":true,"type":"string","description":"Command is the remote command to execute. argv array. Not executed within a shell.","name":"command","in":"query"},"container-1GeXxFDC":{"uniqueItems":true,"type":"string","description":"The container for which to stream logs. Defaults to only container if there is one container in the pod.","name":"container","in":"query"},"container-_Q-EJ3nR":{"uniqueItems":true,"type":"string","description":"The container in which to execute the command. Defaults to only container if there is only one container in the pod.","name":"container","in":"query"},"container-i5dOmRiM":{"uniqueItems":true,"type":"string","description":"Container in which to execute the command. Defaults to only container if there is only one container in the pod.","name":"container","in":"query"},"continue-QfD61s0i":{"uniqueItems":true,"type":"string","description":"The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the \"next key\".\n\nThis field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.","name":"continue","in":"query"},"fieldManager-7c6nTn1T":{"uniqueItems":true,"type":"string","description":"fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).","name":"fieldManager","in":"query"},"fieldManager-Qy4HdaTW":{"uniqueItems":true,"type":"string","description":"fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.","name":"fieldManager","in":"query"},"fieldSelector-xIcQKXFG":{"uniqueItems":true,"type":"string","description":"A selector to restrict the list of returned objects by their fields. Defaults to everything.","name":"fieldSelector","in":"query"},"follow-9OIXh_2R":{"uniqueItems":true,"type":"boolean","description":"Follow the log stream of the pod. Defaults to false.","name":"follow","in":"query"},"force-tOGGb0Yi":{"uniqueItems":true,"type":"boolean","description":"Force is going to \"force\" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.","name":"force","in":"query"},"gracePeriodSeconds--K5HaBOS":{"uniqueItems":true,"type":"integer","description":"The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.","name":"gracePeriodSeconds","in":"query"},"insecureSkipTLSVerifyBackend-gM00jVbe":{"uniqueItems":true,"type":"boolean","description":"insecureSkipTLSVerifyBackend indicates that the apiserver should not confirm the validity of the serving certificate of the backend it is connecting to. This will make the HTTPS connection between the apiserver and the backend insecure. This means the apiserver cannot verify the log data it is receiving came from the real kubelet. If the kubelet is configured to verify the apiserver's TLS credentials, it does not mean the connection to the real kubelet is vulnerable to a man in the middle attack (e.g. an attacker could not intercept the actual log data coming from the real kubelet).","name":"insecureSkipTLSVerifyBackend","in":"query"},"labelSelector-5Zw57w4C":{"uniqueItems":true,"type":"string","description":"A selector to restrict the list of returned objects by their labels. Defaults to everything.","name":"labelSelector","in":"query"},"limit-1NfNmdNH":{"uniqueItems":true,"type":"integer","description":"limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.\n\nThe server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.","name":"limit","in":"query"},"limitBytes-zwd1RXuc":{"uniqueItems":true,"type":"integer","description":"If set, the number of bytes to read from the server before terminating the log output. This may not display a complete final line of logging, and may return slightly more or slightly less than the specified limit.","name":"limitBytes","in":"query"},"logpath-Noq7euwC":{"uniqueItems":true,"type":"string","description":"path to the log","name":"logpath","in":"path","required":true},"namespace-vgWSWtn3":{"uniqueItems":true,"type":"string","description":"object name and auth scope, such as for teams and projects","name":"namespace","in":"path","required":true},"orphanDependents-uRB25kX5":{"uniqueItems":true,"type":"boolean","description":"Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the \"orphan\" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.","name":"orphanDependents","in":"query"},"path-QCf0eosM":{"uniqueItems":true,"type":"string","description":"Path is the part of URLs that include service endpoints, suffixes, and parameters to use for the current proxy request to service. For example, the whole request URL is http://localhost/api/v1/namespaces/kube-system/services/elasticsearch-logging/_search?q=user:kimchy. Path is _search?q=user:kimchy.","name":"path","in":"query"},"path-oPbzgLUj":{"uniqueItems":true,"type":"string","description":"Path is the URL path to use for the current proxy request to pod.","name":"path","in":"query"},"path-rFDtV0x9":{"uniqueItems":true,"type":"string","description":"Path is the URL path to use for the current proxy request to node.","name":"path","in":"query"},"path-z6Ciiujn":{"uniqueItems":true,"type":"string","description":"path to the resource","name":"path","in":"path","required":true},"ports-91KROJmm":{"uniqueItems":true,"type":"integer","description":"List of ports to forward Required when using WebSockets","name":"ports","in":"query"},"pretty-tJGM1-ng":{"uniqueItems":true,"type":"string","description":"If 'true', then the output is pretty printed. Defaults to 'false' unless the user-agent indicates a browser or command-line HTTP tool (curl and wget).","name":"pretty","in":"query"},"previous-1jxDPu3y":{"uniqueItems":true,"type":"boolean","description":"Return previous terminated container logs. Defaults to false.","name":"previous","in":"query"},"propagationPolicy-6jk3prlO":{"uniqueItems":true,"type":"string","description":"Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.","name":"propagationPolicy","in":"query"},"resourceVersion-5WAnf1kx":{"uniqueItems":true,"type":"string","description":"resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset","name":"resourceVersion","in":"query"},"resourceVersionMatch-t8XhRHeC":{"uniqueItems":true,"type":"string","description":"resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.\n\nDefaults to unset","name":"resourceVersionMatch","in":"query"},"sendInitialEvents-rLXlEK_k":{"uniqueItems":true,"type":"boolean","description":"`sendInitialEvents=true` may be set together with `watch=true`. In that case, the watch stream will begin with synthetic events to produce the current state of objects in the collection. Once all such events have been sent, a synthetic \"Bookmark\" event will be sent. The bookmark will report the ResourceVersion (RV) corresponding to the set of objects, and be marked with `\"k8s.io/initial-events-end\": \"true\"` annotation. Afterwards, the watch stream will proceed as usual, sending watch events corresponding to changes (subsequent to the RV) to objects watched.\n\nWhen `sendInitialEvents` option is set, we require `resourceVersionMatch` option to also be set. The semantic of the watch request is as following: - `resourceVersionMatch` = NotOlderThan\n is interpreted as \"data at least as new as the provided `resourceVersion`\"\n and the bookmark event is send when the state is synced\n to a `resourceVersion` at least as fresh as the one provided by the ListOptions.\n If `resourceVersion` is unset, this is interpreted as \"consistent read\" and the\n bookmark event is send when the state is synced at least to the moment\n when request started being processed.\n- `resourceVersionMatch` set to any other value or unset\n Invalid error is returned.\n\nDefaults to true if `resourceVersion=\"\"` or `resourceVersion=\"0\"` (for backward compatibility reasons) and to false otherwise.","name":"sendInitialEvents","in":"query"},"sinceSeconds-vE2NLdnP":{"uniqueItems":true,"type":"integer","description":"A relative time in seconds before the current time from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned. Only one of sinceSeconds or sinceTime may be specified.","name":"sinceSeconds","in":"query"},"stderr-26jJhFUR":{"uniqueItems":true,"type":"boolean","description":"Stderr if true indicates that stderr is to be redirected for the attach call. Defaults to true.","name":"stderr","in":"query"},"stderr-W_1TNlWc":{"uniqueItems":true,"type":"boolean","description":"Redirect the standard error stream of the pod for this call.","name":"stderr","in":"query"},"stdin-PSzNhyUC":{"uniqueItems":true,"type":"boolean","description":"Redirect the standard input stream of the pod for this call. Defaults to false.","name":"stdin","in":"query"},"stdin-sEFnN3IS":{"uniqueItems":true,"type":"boolean","description":"Stdin if true, redirects the standard input stream of the pod for this call. Defaults to false.","name":"stdin","in":"query"},"stdout--EZLRwV1":{"uniqueItems":true,"type":"boolean","description":"Redirect the standard output stream of the pod for this call.","name":"stdout","in":"query"},"stdout-005YMKE6":{"uniqueItems":true,"type":"boolean","description":"Stdout if true indicates that stdout is to be redirected for the attach call. Defaults to true.","name":"stdout","in":"query"},"tailLines-2fRTNzbP":{"uniqueItems":true,"type":"integer","description":"If set, the number of lines from the end of the logs to show. If not specified, logs are shown from the creation of the container or sinceSeconds or sinceTime","name":"tailLines","in":"query"},"timeoutSeconds-yvYezaOC":{"uniqueItems":true,"type":"integer","description":"Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.","name":"timeoutSeconds","in":"query"},"timestamps-c17fW1w_":{"uniqueItems":true,"type":"boolean","description":"If true, add an RFC3339 or RFC3339Nano timestamp at the beginning of every line of log output. Defaults to false.","name":"timestamps","in":"query"},"tty-g7MlET_l":{"uniqueItems":true,"type":"boolean","description":"TTY if true indicates that a tty will be allocated for the attach call. This is passed through the container runtime so the tty is allocated on the worker node by the container runtime. Defaults to false.","name":"tty","in":"query"},"tty-s0flW37O":{"uniqueItems":true,"type":"boolean","description":"TTY if true indicates that a tty will be allocated for the exec call. Defaults to false.","name":"tty","in":"query"},"watch-XNNPZGbK":{"uniqueItems":true,"type":"boolean","description":"Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.","name":"watch","in":"query"}},"securityDefinitions":{"BearerToken":{"description":"Bearer Token authentication","type":"apiKey","name":"authorization","in":"header"}},"security":[{"BearerToken":[]}]} \ No newline at end of file